CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4629 vulnerabilities reference this CWE, most recent first.
GHSA-V3GX-42R7-J2H7
Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with control of a virtual registry upstream to make requests to internal hosts due to improper validation.
{
"affected": [],
"aliases": [
"CVE-2026-7471"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T06:16:25Z",
"severity": "LOW"
},
"details": "GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with control of a virtual registry upstream to make requests to internal hosts due to improper validation.",
"id": "GHSA-v3gx-42r7-j2h7",
"modified": "2026-05-14T06:31:34Z",
"published": "2026-05-14T06:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7471"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/594196"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V3QF-FGCW-33VG
Vulnerability from github – Published: 2024-12-16 15:31 – Updated: 2026-04-01 18:32Server-Side Request Forgery (SSRF) vulnerability in SoftLab Radio Player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through 2.0.82.
{
"affected": [],
"aliases": [
"CVE-2024-54385"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-16T15:15:12Z",
"severity": "HIGH"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in SoftLab Radio Player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through 2.0.82.",
"id": "GHSA-v3qf-fgcw-33vg",
"modified": "2026-04-01T18:32:50Z",
"published": "2024-12-16T15:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54385"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/radio-player/vulnerability/wordpress-radio-player-plugin-2-0-82-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V3RV-7532-9GG6
Vulnerability from github – Published: 2024-10-16 09:30 – Updated: 2024-10-16 09:30The Mapplic and Mapplic Lite plugins for WordPress are vulnerable to Server-Side Request Forgery in versions up to, and including 6.1, 1.0 respectively. This makes it possible for attackers to forgery requests coming from a vulnerable site's server and ultimately perform an XSS attack if requesting an SVG file.
{
"affected": [],
"aliases": [
"CVE-2012-10018"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-16T07:15:03Z",
"severity": "HIGH"
},
"details": "The Mapplic and Mapplic Lite plugins for WordPress are vulnerable to Server-Side Request Forgery in versions up to, and including 6.1, 1.0 respectively. This makes it possible for attackers to forgery requests coming from a vulnerable site\u0027s server and ultimately perform an XSS attack if requesting an SVG file.",
"id": "GHSA-v3rv-7532-9gg6",
"modified": "2024-10-16T09:30:30Z",
"published": "2024-10-16T09:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-10018"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/161919"
},
{
"type": "WEB",
"url": "https://packetstormsecurity.com/files/161920"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2503447"
},
{
"type": "WEB",
"url": "https://www.mapplic.com/docs/#changelog"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5aacabb5-94af-485a-af24-e84db3e3726f?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-V3W7-G6P2-MPX7
Vulnerability from github – Published: 2024-11-25 09:30 – Updated: 2025-11-07 16:41A flaw was found in OpenShift Console. A Server Side Request Forgery (SSRF) attack can happen if an attacker supplies all or part of a URL to the server to query. The server is considered to be in a privileged network position and can often reach exposed services that aren't readily available to clients due to network filtering. Leveraging such an attack vector, the attacker can have an impact on other services and potentially disclose information or have other nefarious effects on the system. The /api/dev-console/proxy/internet endpoint on the OpenShit Console allows authenticated users to have the console's pod perform arbitrary and fully controlled HTTP(s) requests. The full response to these requests is returned by the endpoint. While the name of this endpoint suggests the requests are only bound to the internet, no such checks are in place. An authenticated user can therefore ask the console to perform arbitrary HTTP requests from outside the cluster to a service inside the cluster.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/openshift/console"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "6.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-6538"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2024-11-25T17:25:19Z",
"nvd_published_at": "2024-11-25T07:15:06Z",
"severity": "MODERATE"
},
"details": "A flaw was found in OpenShift Console. A Server Side Request Forgery (SSRF) attack can happen if an attacker supplies all or part of a URL to the server to query. The server is considered to be in a privileged network position and can often reach exposed services that aren\u0027t readily available to clients due to network filtering. Leveraging such an attack vector, the attacker can have an impact on other services and potentially disclose information or have other nefarious effects on the system.\nThe /api/dev-console/proxy/internet endpoint on the OpenShit Console allows authenticated users to have the console\u0027s pod perform arbitrary and fully controlled HTTP(s) requests. The full response to these requests is returned by the endpoint.\nWhile the name of this endpoint suggests the requests are only bound to the internet, no such checks are in place. An authenticated user can therefore ask the console to perform arbitrary HTTP requests from outside the cluster to a service inside the cluster.",
"id": "GHSA-v3w7-g6p2-mpx7",
"modified": "2025-11-07T16:41:17Z",
"published": "2024-11-25T09:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6538"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:14397"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:19058"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:7863"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:8280"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:8556"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-6538"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2296057"
},
{
"type": "PACKAGE",
"url": "https://github.com/openshift/console"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenShift Console Server Side Request Forgery vulnerability"
}
GHSA-V3WH-98RQ-2X2M
Vulnerability from github – Published: 2024-04-24 09:30 – Updated: 2026-04-28 21:34Server-Side Request Forgery (SSRF) vulnerability in 2day.Sk, Webikon SuperFaktura WooCommerce.This issue affects SuperFaktura WooCommerce: from n/a through 1.40.3.
{
"affected": [],
"aliases": [
"CVE-2024-32803"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-24T08:15:40Z",
"severity": "MODERATE"
},
"details": "Server-Side Request Forgery (SSRF) vulnerability in 2day.Sk, Webikon SuperFaktura WooCommerce.This issue affects SuperFaktura WooCommerce: from n/a through 1.40.3.",
"id": "GHSA-v3wh-98rq-2x2m",
"modified": "2026-04-28T21:34:52Z",
"published": "2024-04-24T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32803"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/woocommerce-superfaktura/wordpress-superfaktura-woocommerce-plugin-1-40-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V44Q-7W5X-W6HW
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200.
{
"affected": [],
"aliases": [
"CVE-2021-35512"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-21T12:15:00Z",
"severity": "MODERATE"
},
"details": "An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200.",
"id": "GHSA-v44q-7w5x-w6hw",
"modified": "2022-05-24T19:18:27Z",
"published": "2022-05-24T19:18:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35512"
},
{
"type": "WEB",
"url": "https://www.esecforte.com/server-side-request-forgery-india-ssrf-rvd-manage-engine"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/products/applications_manager"
},
{
"type": "WEB",
"url": "https://www.manageengine.com/products/applications_manager/release-notes.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V467-G7G7-HHFH
Vulnerability from github – Published: 2026-03-19 12:43 – Updated: 2026-04-13 17:40Summary
The Scheduler plugin's run() function in plugin/Scheduler/Scheduler.php calls url_get_contents() with an admin-configurable callbackURL that is validated only by isValidURL() (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler's callback URL is never passed through isSSRFSafeURL(), which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network callbackURL to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet.
Details
The vulnerable code is at plugin/Scheduler/Scheduler.php:157-166:
// Line 157: callback URL retrieved and site-root token substituted
$callBackURL = $e->getCallbackURL();
$callBackURL = str_replace('$SITE_ROOT_TOKEN', $global['webSiteRootURL'], $callBackURL);
if (!isValidURL($callBackURL)) {
return false;
}
// isValidURL() only checks URL format via filter_var(..., FILTER_VALIDATE_URL)
// The critical missing check is:
// if (!isSSRFSafeURL($callBackURL)) { return false; }
if (empty($_executeSchelude[$callBackURL])) {
$_executeSchelude[$callBackURL] = url_get_contents($callBackURL, '', 30);
isValidURL() in objects/functions.php uses filter_var($url, FILTER_VALIDATE_URL) — it validates URL syntax only and does not block internal/private network targets.
isSSRFSafeURL() in objects/functions.php:4021 explicitly blocks:
- 127.x.x.x / ::1 (loopback)
- 10.x.x.x, 172.16-31.x.x, 192.168.x.x (RFC-1918 private)
- 169.254.x.x (link-local, including AWS/GCP metadata at 169.254.169.254)
- IPv6 private ranges
This function was added to the LiveLinks proxy (GHSA-9x67-f2v7-63rw fix, commit 0e5638292) and was previously used in the aVideoEncoder download flow (GHSA-h39h-7cvg-q7j6), but the Scheduler plugin was not updated in either fix wave, leaving it as an incomplete patch.
An admin can configure the callbackURL for a scheduled task via the Scheduler plugin UI and trigger execution immediately via the "Run now" interface.
PoC
# Step 1: Authenticate as admin
# Step 2: Create a scheduled task with cloud metadata SSRF callback
curl -b "admin_session=<session>" -X POST \
https://target.avideo.site/plugin/Scheduler/View/Scheduler_commands/add.json.php \
-d "callbackURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/&status=a&type=&date_to_execute=2026-03-18+12:00:00"
# Step 3: Trigger immediate execution via Scheduler run endpoint
curl -b "admin_session=<session>" \
https://target.avideo.site/plugin/Scheduler/run.php
# Step 4: Read the scheduler execution logs
curl -b "admin_session=<session>" \
https://target.avideo.site/plugin/Scheduler/View/Scheduler_commands/get.json.php
# Response includes the AWS metadata API response with IAM role credentials
Expected: Internal network addresses rejected before HTTP request is made.
Actual: The server makes an HTTP request to http://169.254.169.254/latest/meta-data/iam/security-credentials/ and the response (including AWS IAM role credentials) is stored in the scheduler execution log.
Impact
- Cloud credential theft: On AWS, GCP, or Azure deployments, the attacker can retrieve IAM instance role credentials from the cloud metadata service (
169.254.169.254), potentially enabling privilege escalation within the cloud environment. - Internal service probing: The attacker can make the server issue requests to internal APIs, microservices, or databases with HTTP interfaces not exposed to the internet.
- Incomplete patch amplification: The fix for GHSA-9x67-f2v7-63rw and GHSA-h39h-7cvg-q7j6 added
isSSRFSafeURL()to specific call sites but not the Scheduler. Deployments that updated expecting comprehensive SSRF protection remain vulnerable via this path. - Blast radius: Requires admin access. Impact is significant in cloud-hosted deployments where instance metadata credentials unlock broader infrastructure access.
Recommended Fix
Add isSSRFSafeURL() validation to the Scheduler callback URL before url_get_contents() is called, consistent with the existing SSRF fixes in plugin/LiveLinks/proxy.php and objects/aVideoEncoder.json.php:
$callBackURL = $e->getCallbackURL();
if (!isValidURL($callBackURL)) {
return false;
}
// Add this SSRF check — same pattern as LiveLinks proxy fix (GHSA-9x67-f2v7-63rw):
if (!isSSRFSafeURL($callBackURL)) {
_error_log("Scheduler::run SSRF protection blocked callbackURL: " . $callBackURL);
return false;
}
if (empty($_executeSchelude[$callBackURL])) {
$_executeSchelude[$callBackURL] = url_get_contents($callBackURL, '', 30);
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 25.0"
},
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33237"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T12:43:23Z",
"nvd_published_at": "2026-03-21T00:16:26Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nThe Scheduler plugin\u0027s `run()` function in `plugin/Scheduler/Scheduler.php` calls `url_get_contents()` with an admin-configurable `callbackURL` that is validated only by `isValidURL()` (URL format check). Unlike other AVideo endpoints that were recently patched for SSRF (GHSA-9x67-f2v7-63rw, GHSA-h39h-7cvg-q7j6), the Scheduler\u0027s callback URL is never passed through `isSSRFSafeURL()`, which blocks requests to RFC-1918 private addresses, loopback, and cloud metadata endpoints. An admin can configure a scheduled task with an internal network `callbackURL` to perform SSRF against cloud infrastructure metadata services or internal APIs not otherwise reachable from the internet.\n\n## Details\n\nThe vulnerable code is at `plugin/Scheduler/Scheduler.php:157-166`:\n\n```php\n// Line 157: callback URL retrieved and site-root token substituted\n$callBackURL = $e-\u003egetCallbackURL();\n$callBackURL = str_replace(\u0027$SITE_ROOT_TOKEN\u0027, $global[\u0027webSiteRootURL\u0027], $callBackURL);\nif (!isValidURL($callBackURL)) {\n return false;\n}\n// isValidURL() only checks URL format via filter_var(..., FILTER_VALIDATE_URL)\n// The critical missing check is:\n// if (!isSSRFSafeURL($callBackURL)) { return false; }\nif (empty($_executeSchelude[$callBackURL])) {\n $_executeSchelude[$callBackURL] = url_get_contents($callBackURL, \u0027\u0027, 30);\n```\n\n`isValidURL()` in `objects/functions.php` uses `filter_var($url, FILTER_VALIDATE_URL)` \u2014 it validates URL syntax only and does not block internal/private network targets.\n\n`isSSRFSafeURL()` in `objects/functions.php:4021` explicitly blocks:\n- `127.x.x.x` / `::1` (loopback)\n- `10.x.x.x`, `172.16-31.x.x`, `192.168.x.x` (RFC-1918 private)\n- `169.254.x.x` (link-local, including AWS/GCP metadata at `169.254.169.254`)\n- IPv6 private ranges\n\nThis function was added to the LiveLinks proxy (GHSA-9x67-f2v7-63rw fix, commit `0e5638292`) and was previously used in the aVideoEncoder download flow (GHSA-h39h-7cvg-q7j6), but the Scheduler plugin was not updated in either fix wave, leaving it as an incomplete patch.\n\nAn admin can configure the `callbackURL` for a scheduled task via the Scheduler plugin UI and trigger execution immediately via the \"Run now\" interface.\n\n## PoC\n\n```bash\n# Step 1: Authenticate as admin\n\n# Step 2: Create a scheduled task with cloud metadata SSRF callback\ncurl -b \"admin_session=\u003csession\u003e\" -X POST \\\n https://target.avideo.site/plugin/Scheduler/View/Scheduler_commands/add.json.php \\\n -d \"callbackURL=http://169.254.169.254/latest/meta-data/iam/security-credentials/\u0026status=a\u0026type=\u0026date_to_execute=2026-03-18+12:00:00\"\n\n# Step 3: Trigger immediate execution via Scheduler run endpoint\ncurl -b \"admin_session=\u003csession\u003e\" \\\n https://target.avideo.site/plugin/Scheduler/run.php\n\n# Step 4: Read the scheduler execution logs\ncurl -b \"admin_session=\u003csession\u003e\" \\\n https://target.avideo.site/plugin/Scheduler/View/Scheduler_commands/get.json.php\n# Response includes the AWS metadata API response with IAM role credentials\n```\n\n**Expected:** Internal network addresses rejected before HTTP request is made.\n**Actual:** The server makes an HTTP request to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` and the response (including AWS IAM role credentials) is stored in the scheduler execution log.\n\n## Impact\n\n- **Cloud credential theft:** On AWS, GCP, or Azure deployments, the attacker can retrieve IAM instance role credentials from the cloud metadata service (`169.254.169.254`), potentially enabling privilege escalation within the cloud environment.\n- **Internal service probing:** The attacker can make the server issue requests to internal APIs, microservices, or databases with HTTP interfaces not exposed to the internet.\n- **Incomplete patch amplification:** The fix for GHSA-9x67-f2v7-63rw and GHSA-h39h-7cvg-q7j6 added `isSSRFSafeURL()` to specific call sites but not the Scheduler. Deployments that updated expecting comprehensive SSRF protection remain vulnerable via this path.\n- **Blast radius:** Requires admin access. Impact is significant in cloud-hosted deployments where instance metadata credentials unlock broader infrastructure access.\n\n## Recommended Fix\n\nAdd `isSSRFSafeURL()` validation to the Scheduler callback URL before `url_get_contents()` is called, consistent with the existing SSRF fixes in `plugin/LiveLinks/proxy.php` and `objects/aVideoEncoder.json.php`:\n\n```php\n$callBackURL = $e-\u003egetCallbackURL();\nif (!isValidURL($callBackURL)) {\n return false;\n}\n// Add this SSRF check \u2014 same pattern as LiveLinks proxy fix (GHSA-9x67-f2v7-63rw):\nif (!isSSRFSafeURL($callBackURL)) {\n _error_log(\"Scheduler::run SSRF protection blocked callbackURL: \" . $callBackURL);\n return false;\n}\nif (empty($_executeSchelude[$callBackURL])) {\n $_executeSchelude[$callBackURL] = url_get_contents($callBackURL, \u0027\u0027, 30);\n```",
"id": "GHSA-v467-g7g7-hhfh",
"modified": "2026-04-13T17:40:20Z",
"published": "2026-03-19T12:43:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-v467-g7g7-hhfh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33237"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/issues/10403"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/df926e500580c2a1e3c70351f0c30f4e15c0fd83"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "AVideo has SSRF in Scheduler Plugin via callbackURL Missing `isSSRFSafeURL()` Validation"
}
GHSA-V4GR-CW6X-C3JW
Vulnerability from github – Published: 2022-01-25 00:00 – Updated: 2022-01-29 00:00Dell EMC Data Protection Central versions 19.5 and prior contain a Server Side Request Forgery vulnerability in the DPC DNS client processing. A remote malicious user could potentially exploit this vulnerability, allowing port scanning of external hosts.
{
"affected": [],
"aliases": [
"CVE-2021-36349"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-24T20:15:00Z",
"severity": "MODERATE"
},
"details": "Dell EMC Data Protection Central versions 19.5 and prior contain a Server Side Request Forgery vulnerability in the DPC DNS client processing. A remote malicious user could potentially exploit this vulnerability, allowing port scanning of external hosts.",
"id": "GHSA-v4gr-cw6x-c3jw",
"modified": "2022-01-29T00:00:57Z",
"published": "2022-01-25T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36349"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000195103"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-V4HW-9W3F-HCGH
Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-11-07 03:30An issue in Open-Source Technology Committee SRS real-time video server RS/4.0.268(Leo) and SRS/4.0.195(Leo) allows a remote attacker to execute arbitrary code via a crafted request.
{
"affected": [],
"aliases": [
"CVE-2024-33250"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T15:37:30Z",
"severity": "HIGH"
},
"details": "An issue in Open-Source Technology Committee SRS real-time video server RS/4.0.268(Leo) and SRS/4.0.195(Leo) allows a remote attacker to execute arbitrary code via a crafted request.",
"id": "GHSA-v4hw-9w3f-hcgh",
"modified": "2024-11-07T03:30:31Z",
"published": "2024-05-14T18:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33250"
},
{
"type": "WEB",
"url": "https://github.com/hacker2004/cccccckkkkkk/blob/main/CVE-2024-33250.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V4MM-Q8FV-R2W5
Vulnerability from github – Published: 2024-04-09 09:31 – Updated: 2025-10-15 15:46A flaw was found inJwtValidator.resolvePublicKey in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.wildfly.security:wildfly-elytron-realm-token"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.4.0.CR1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-1233"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-09T18:53:09Z",
"nvd_published_at": "2024-04-09T07:15:08Z",
"severity": "HIGH"
},
"details": "A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.",
"id": "GHSA-v4mm-q8fv-r2w5",
"modified": "2025-10-15T15:46:43Z",
"published": "2024-04-09T09:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1233"
},
{
"type": "WEB",
"url": "https://github.com/wildfly/wildfly/pull/17812/commits/0c02350bc0d84287bed46e7c32f90b36e50d3523"
},
{
"type": "WEB",
"url": "https://github.com/wildfly/wildfly/commit/aa151a00d75d6dbc4a1bf1b68d58b9de3087bb62"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3559"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3560"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3561"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3563"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3580"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3581"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3583"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9582"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9583"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-1233"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262849"
},
{
"type": "PACKAGE",
"url": "https://github.com/wildfly-security/wildfly-elytron"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/WFLY-19226"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "WildFly Elytron: SSRF security issue"
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.