Common Weakness Enumeration

CWE-918

Allowed

Server-Side Request Forgery (SSRF)

Abstraction: Base · Status: Incomplete

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

4627 vulnerabilities reference this CWE, most recent first.

GHSA-VQ52-99R9-H5PW

Vulnerability from github – Published: 2025-02-11 06:30 – Updated: 2025-02-20 16:41
VLAI
Summary
Server-side Request Forgery (SSRF) in hackney
Details

Versions of the package hackney from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in module and hackey. Given the URL http://127.0.0.1?@127.2.2.2/, the URI function will parse and see the host as 127.0.0.1 (which is correct), and hackney will refer the host as 127.2.2.2/. This vulnerability can be exploited when users rely on the URL function for host checking.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Hex",
        "name": "hackney"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.21.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-1211"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-11T17:59:52Z",
    "nvd_published_at": "2025-02-11T05:15:14Z",
    "severity": "LOW"
  },
  "details": "Versions of the package hackney from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) due to improper parsing of URLs by URI built-in module and hackey. Given the URL http://127.0.0.1?@127.2.2.2/, the URI function will parse and see the host as 127.0.0.1 (which is correct), and hackney will refer the host as 127.2.2.2/. This vulnerability can be exploited when users rely on the URL function for host checking.",
  "id": "GHSA-vq52-99r9-h5pw",
  "modified": "2025-02-20T16:41:45Z",
  "published": "2025-02-11T06:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1211"
    },
    {
      "type": "WEB",
      "url": "https://github.com/benoitc/hackney/commit/9594ce58fabd32cd897fc28fae937694515a3d4a"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/snoopysecurity/996de09ec0cfd0ebdcfdda8ff515deb1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/benoitc/hackney"
    },
    {
      "type": "WEB",
      "url": "https://github.com/benoitc/hackney/releases/tag/1.21.0"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-HEX-HACKNEY-6516131"
    },
    {
      "type": "WEB",
      "url": "https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Server-side Request Forgery (SSRF) in hackney"
}

GHSA-VQ9J-JH62-5HMP

Vulnerability from github – Published: 2018-10-16 23:13 – Updated: 2023-12-19 22:22
VLAI
Summary
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
Details

Description: The Validation Component of Apache Camel evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE). The vulnerability is not given for SAX or StAX sources.

Mitigation: 2.17.x users should upgrade to 2.17.6, 2.18.x users should upgrade to 2.18.3.

The JIRA tickets https://issues.apache.org/jira/browse/CAMEL-10894 refers to the various commits that resolved the issue, and have more details.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.17.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.camel:camel-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.18.0"
            },
            {
              "fixed": "2.18.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-5643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:58:03Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Description: The Validation Component of Apache Camel evaluates DTD headers of XML stream sources, although a validation against XML schemas (XSD) is executed. Remote attackers can use this feature to make Server-Side Request Forgery (SSRF) attacks by sending XML documents with remote DTDs URLs or XML External Entities (XXE).  The vulnerability is not given for SAX or StAX sources.\n\nMitigation: 2.17.x users should upgrade to 2.17.6, 2.18.x users should upgrade to 2.18.3. \n\nThe JIRA tickets https://issues.apache.org/jira/browse/CAMEL-10894 refers to the various commits that resolved the issue, and have more details.\n",
  "id": "GHSA-vq9j-jh62-5hmp",
  "modified": "2023-12-19T22:22:28Z",
  "published": "2018-10-16T23:13:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5643"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/commit/2c6964ae94d8f9a9c9a32e5ae5a0b794e8b8d3be"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/commit/8afc5d1757795fde715902067360af5d90f046da"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel/commit/9f7376abbff7434794f2c7c2909e02bac232fb5b"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1832"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-vq9j-jh62-5hmp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/camel"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/CAMEL-10894"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://camel.apache.org/security-advisories.data/CVE-2017-5643.txt.asc?version=1\u0026modificationDate=1489652454000\u0026api=v2"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97226"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Camel\u0027s Validation Component is vulnerable against SSRF via remote DTDs and XXE."
}

GHSA-VQC2-C9JH-3JJV

Vulnerability from github – Published: 2026-06-01 12:30 – Updated: 2026-07-08 20:23
VLAI
Summary
Apache Fesod is vulnerable to Server-Side Request Forgery through its UrlImageConverter component
Details

Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.fesod:fesod-sheet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2-incubating"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-08T20:23:57Z",
    "nvd_published_at": "2026-06-01T11:16:25Z",
    "severity": "MODERATE"
  },
  "details": "Server-Side Request Forgery (SSRF) in the UrlImageConverter component of Apache Fesod (Incubating) fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to version 2.0.2-incubating, which fixes this issue.",
  "id": "GHSA-vqc2-c9jh-3jjv",
  "modified": "2026-07-08T20:23:57Z",
  "published": "2026-06-01T12:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49328"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/fesod/pull/917"
    },
    {
      "type": "WEB",
      "url": "https://fesod.apache.org/docs/download"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/fesod"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/fesod/releases/tag/2.0.2-incubating"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/c1pb5b66h02p9tlrnfbwcgcz85v16fkj"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/01/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Fesod is vulnerable to Server-Side Request Forgery through its UrlImageConverter component"
}

GHSA-VQJX-886G-C3RV

Vulnerability from github – Published: 2024-03-05 18:31 – Updated: 2024-08-29 21:31
VLAI
Details

A Server-Side Request Forgery (SSRF) in the getFileFromRepo function of WonderCMS v3.1.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27563"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-05T17:15:06Z",
    "severity": "MODERATE"
  },
  "details": "A Server-Side Request Forgery (SSRF) in the getFileFromRepo function of WonderCMS v3.1.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter.",
  "id": "GHSA-vqjx-886g-c3rv",
  "modified": "2024-08-29T21:31:02Z",
  "published": "2024-03-05T18:31:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27563"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zer0yu/CVE_Request/blob/master/WonderCMS/wondercms_pluginThemeUrl.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQP5-2MRP-QQXG

Vulnerability from github – Published: 2026-05-18 09:31 – Updated: 2026-06-01 15:29
VLAI
Summary
Mattermost doesn't validate the Host header when constructing response URLs for custom slash command
Details

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.5.0"
            },
            {
              "fixed": "11.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.11.0"
            },
            {
              "fixed": "10.11.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0-20260325160634-e738016c5920"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.3.2-0.20260325160634-e738016c5920"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-6333"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-01T15:29:47Z",
    "nvd_published_at": "2026-05-18T09:16:23Z",
    "severity": "LOW"
  },
  "details": "Mattermost versions 11.5.x \u003c= 11.5.1, 10.11.x \u003c= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582",
  "id": "GHSA-vqp5-2mrp-qqxg",
  "modified": "2026-06-01T15:29:47Z",
  "published": "2026-05-18T09:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6333"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mattermost/mattermost/commit/e738016c592045e14bf926eafaeda6f8521def6d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost doesn\u0027t validate the Host header when constructing response URLs for custom slash command"
}

GHSA-VQWH-5JHH-VC9P

Vulnerability from github – Published: 2025-08-21 09:30 – Updated: 2025-08-29 20:52
VLAI
Summary
Mattermost Server SSRF Vulnerability via the Agents Plugin
Details

Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.5.9"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.5.0"
            },
            {
              "fixed": "10.5.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/mattermost/mattermost/server/v8"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0-20250814075248-83a37a861d3c"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-47700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-21T16:02:16Z",
    "nvd_published_at": "2025-08-21T08:15:29Z",
    "severity": "LOW"
  },
  "details": "Mattermost Server versions 10.5.x \u003c= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions",
  "id": "GHSA-vqwh-5jhh-vc9p",
  "modified": "2025-08-29T20:52:24Z",
  "published": "2025-08-21T09:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47700"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mattermost/mattermost"
    },
    {
      "type": "WEB",
      "url": "https://mattermost.com/security-updates"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3906"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mattermost Server SSRF Vulnerability via the Agents Plugin"
}

GHSA-VQX6-6J84-2794

Vulnerability from github – Published: 2026-06-16 21:31 – Updated: 2026-06-18 20:11
VLAI
Summary
Duplicate Advisory: Hostname checks could treat trailing-dot hosts inconsistently
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-gxg4-2rrr-jhc7. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2026.5.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T20:11:21Z",
    "nvd_published_at": "2026-06-16T19:17:03Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of\u00a0GHSA-gxg4-2rrr-jhc7. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies.",
  "id": "GHSA-vqx6-6j84-2794",
  "modified": "2026-06-18T20:11:21Z",
  "published": "2026-06-16T21:31:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gxg4-2rrr-jhc7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53859"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-hostname-validation-bypass-via-trailing-dot-inconsistency"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: Hostname checks could treat trailing-dot hosts inconsistently",
  "withdrawn": "2026-06-18T20:11:21Z"
}

GHSA-VR4X-W39V-5C7H

Vulnerability from github – Published: 2026-01-15 00:31 – Updated: 2026-01-15 00:31
VLAI
Details

Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services and internal network resources. A workaround configuration is available starting in version 3.88.0, but the product remains vulnerable by default.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0600"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-14T23:15:56Z",
    "severity": "MODERATE"
  },
  "details": "Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services and internal network resources. A workaround configuration is available starting in version 3.88.0, but the product remains vulnerable by default.",
  "id": "GHSA-vr4x-w39v-5c7h",
  "modified": "2026-01-15T00:31:38Z",
  "published": "2026-01-15T00:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0600"
    },
    {
      "type": "WEB",
      "url": "https://support.sonatype.com/hc/en-us/articles/47928855816595"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-VR56-Q77C-X8PG

Vulnerability from github – Published: 2021-12-21 00:00 – Updated: 2022-01-04 00:01
VLAI
Details

VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 and Identity Manager 3.3.5, 3.3.4, and 3.3.3 contain an SSRF vulnerability. A malicious actor with network access may be able to make HTTP requests to arbitrary origins and read the full response.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-22056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-20T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 and Identity Manager 3.3.5, 3.3.4, and 3.3.3 contain an SSRF vulnerability. A malicious actor with network access may be able to make HTTP requests to arbitrary origins and read the full response.",
  "id": "GHSA-vr56-q77c-x8pg",
  "modified": "2022-01-04T00:01:27Z",
  "published": "2021-12-21T00:00:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22056"
    },
    {
      "type": "WEB",
      "url": "https://www.vmware.com/security/advisories/VMSA-2021-0030.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VR5G-MMX7-H897

Vulnerability from github – Published: 2026-04-09 17:36 – Updated: 2026-04-28 18:25
VLAI
Summary
OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation
Details

Impact

Browser SSRF Policy Bypass via Interaction-Triggered Navigation.

Browser interactions could trigger navigations that bypassed the normal SSRF navigation checks.

OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.4.5
  • Patched versions: 2026.4.8

Fix

The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.

Verification

The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary.

Credits

Thanks @ccreater222 and @KeenSecurityLab for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41912"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-09T17:36:48Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nBrowser SSRF Policy Bypass via Interaction-Triggered Navigation.\n\nBrowser interactions could trigger navigations that bypassed the normal SSRF navigation checks.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.4.5`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @ccreater222 and @KeenSecurityLab for reporting.",
  "id": "GHSA-vr5g-mmx7-h897",
  "modified": "2026-04-28T18:25:56Z",
  "published": "2026-04-09T17:36:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vr5g-mmx7-h897"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation"
}

No mitigation information available for this CWE.

CAPEC-664: Server Side Request Forgery

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.