DataLinkDC Dinky Flink Proxy Controller Allows Remote Attack

Summary

A flaw in the Flink Proxy Controller in DataLinkDC Dinky versions up to 1.2.5 allows an attacker to trick the server into performing malicious actions on the attacker's behalf. This could potentially allow an attacker to gain unauthorized access or disrupt the system. As the exploit code has been made public, we recommend updating to the latest version to minimize the risk of exploitation.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
dinky	dinky	<= 1.2.5	–

Original title

A vulnerability was found in DataLinkDC dinky up to 1.2.5. The impacted element is the function proxyUba of the file dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java of the ...

Original description

A vulnerability was found in DataLinkDC dinky up to 1.2.5. The impacted element is the function proxyUba of the file dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java of the component Flink Proxy Controller. Performing a manipulation results in server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

nvd CVSS2.0 6.5

nvd CVSS3.1 7.7

nvd CVSS4.0 5.3

Vulnerability type

CWE-918 Server-Side Request Forgery (SSRF)

https://github.com/AnalogyC0de/public_exp/issues/7 Exploit Issue Tracking Third Party Advisory
https://github.com/AnalogyC0de/public_exp/issues/7#issue-3935032160 Exploit Issue Tracking Third Party Advisory
https://vuldb.com/?ctiid.347410 Permissions Required Third Party Advisory VDB Entry
https://vuldb.com/?id.347410 Third Party Advisory VDB Entry
https://vuldb.com/?submit.757587 Third Party Advisory VDB Entry