CVE-2024-51408

Name of the Vulnerable Software and Affected Versions AppSmith Community versions 1.8.3 through 1.46

Description The issue allows for Server-Side Request Forgery (SSRF) via the New DataSource feature for application/json requests to the IP address 169.254.169.254, which is used to retrieve AWS metadata credentials. This can be exploited by attackers to access AWS credentials by manipulating internal server requests.

Recommendations For versions 1.8.3 through 1.45, update to version 1.46 to resolve the issue. As a temporary workaround, consider restricting access to the New DataSource feature until the update is applied. Avoid using the New DataSource feature for application/json requests to the IP address 169.254.169.254 until the issue is resolved.