Nicolas Lafitte

**Name of the Vulnerable Software and Affected Versions** FireFighter versions prior to 0.0.54 **Description** The 'POST /api/v2/firefighter/raid/jira bot' endpoint (CreateJiraBotView) is accessible without authentication. The `attachments` payload is processed via `httpx.get()` without URL validation, allowing an unauthenticated caller to force the server to fetch arbitrary URLs and exfiltrate the response as a Jira attachment. This Server-Side Request Forgery (SSRF)—a flaw where a server is coerced into making unintended requests—can be used on EC2/EKS deployments not enforcing IMDSv2 to steal temporary AWS credentials attached to the pod's IAM role. **Recommendations** Update to version 0.0.54. Restrict ingress access to the 'POST /api/v2/firefighter/raid/jira bot' endpoint to trusted networks only. Rotate or revoke the Jira API token configured as `RAID JIRA API PASSWORD` as an emergency measure. Enforce IMDSv2 with `HttpPutResponseHopLimit=1` on EC2/EKS nodes to prevent IAM credential theft.