Attacker with SSRF capability can obtain application secrets

An attacker with the ability to perform Server Side Request Forgery (SSRF) can potentially access private application configuration information containing secrets used as credentials to connect to other systems such as the application database. An attacker must first find and utilize a SSRF vulnerability within the application, then discover the unadvertised address of the HTTP endpoint that is only accessible from the server side.

As of 2021.1.3, the endpoint in question requires extra access credentials.