The full HTTP response for the requested URL can be found in the base64Image XML tag, from the response of the Jamf Server: HTTP/1.1 200Ĭache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0Ĭache-Control: no-store, no-cache, must-revalidate
Jamf pro ip addresses mac os x#
User-Agent: Mozilla/5.0 (Macintosh Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/.131 Safari/537.36Ĭontent-Type: application/x-www-form-urlencoded charset=UTF-8Ĭookie: JSESSIONID=NGQwZDlkODQtZmY4MS00NjI3LTk5MGUtODA1MDg0NmRhZmY4 The following HTTP request can be made to reproduce this issue, once authenticated to Jamf: POST /eduFeatureSettingsTest.ajax?id=0&o=r HTTP/1.1 In order to remediate this vulnerability, we recommend upgrading to the latest version of Jamf Pro on premise. Please find the detail about this Jamf release here. This vulnerability was patched in Jamf 10.32. Jamf offers on-premises and cloud-based mobile device management. Jamf Pro is an application used by system administrators to configure and automate IT administration tasks for macOS, iOS, iPadOS, and tvOS devices. As Jamf Pro is often deployed on-premise within an internal network, this vulnerability exposes this internal network to authenticated Jamf Pro users. This could allow an attacker to pivot to the internal network and/or request cloud metadata endpoints to obtain cloud credentials.
ImpactĪn attacker can request arbitrary URLs on behalf of the Jamf Pro server. On cloud environments such as AWS, this poses a greater risk as an attacker can potentially obtain AWS credentials via the metadata IP address. This vulnerability is only exploitable after an attacker has authenticated to the Jamf Pro instance. Jamf Pro before version 10.32 is vulnerable to a server-side request forgery vulnerability, that allows attackers to request arbitrary URLs and read the full HTTP response for these requests.