Inedo ProGet version 2024.22 suffers…

Inedo ProGet 2024.22 and below are vulnerable to unauthenticated denial of service and information disclosure attacks (among other things) because the information system directly exposes the C# reflection used during the request-action mapping process and fails to properly protect certain pathways. These are amplified by cross-site request forgery vulnerabilities (CSRF) due to the application’s failure to verify the HTTP request method and apply CSRF protections accordingly. Specifically, unauthenticated attackers can chain CSRF and reflection attacks to cancel executions, restart the ProGet instance, and perform certain other actions. The following is a sample script that can be used to demonstrate the vulnerability, restarting the victim Inedo ProGet instance ad infinitum. Notably, this attack will work regardless of browser pre-flight protections, etc., since ProGet ignores the HTTP request method. It is likely that more recent versions are also vulnerable to this, but the CS
RF portion allows attacking internal (private) instances in addition to directly accessible (e.g., public) instances. This is vulnerability is known to exist across multiple major versions.

Insecure Reflection + CSRF + DOS Attack

It’s silently working in the background…