CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CVE-2024-41118 (GCVE-0-2024-41118)
Vulnerability from cvelistv5 – Published: 2024-07-26 20:52 – Updated: 2024-08-02 04:46
VLAI
Title
streamlit-geospatial blind SSRF in pages/7_📦_Web_Map_Service.py
Summary
streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `url` variable on line 47 of `pages/7_📦_Web_Map_Service.py` takes user input, which is passed to `get_layers` function, in which `url` is used with `get_wms_layer` method. `get_wms_layer` method creates a request to arbitrary destinations, leading to blind server-side request forgery. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.
Severity
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://securitylab.github.com/advisories/GHSL-20… | x_refsource_CONFIRM |
| https://github.com/opengeos/streamlit-geospatial/… | x_refsource_MISC |
| https://github.com/opengeos/streamlit-geospatial/… | x_refsource_MISC |
| https://github.com/opengeos/streamlit-geospatial/… | x_refsource_MISC |
| https://github.com/opengeos/streamlit-geospatial/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| opengeos | streamlit-geospatial |
Affected:
< c4f81d9616d40c60584e36abb15300853a66e489
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:opengeos:streamlit-geospatial:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "streamlit-geospatial",
"vendor": "opengeos",
"versions": [
{
"lessThan": "c4f81d9616d40c60584e36abb15300853a66e489",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41118",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-28T13:44:09.254395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-28T13:44:12.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.574Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/"
},
{
"name": "https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489"
},
{
"name": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L25",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L25"
},
{
"name": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L47",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L47"
},
{
"name": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L53",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L53"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "streamlit-geospatial",
"vendor": "opengeos",
"versions": [
{
"status": "affected",
"version": "\u003c c4f81d9616d40c60584e36abb15300853a66e489"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `url` variable on line 47 of `pages/7_\ud83d\udce6_Web_Map_Service.py` takes user input, which is passed to `get_layers` function, in which `url` is used with `get_wms_layer` method. `get_wms_layer` method creates a request to arbitrary destinations, leading to blind server-side request forgery. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T20:52:46.182Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/"
},
{
"name": "https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489"
},
{
"name": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L25",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L25"
},
{
"name": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L47",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L47"
},
{
"name": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L53",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/7_%F0%9F%93%A6_Web_Map_Service.py#L53"
}
],
"source": {
"advisory": "GHSA-v337-9mg8-x272",
"discovery": "UNKNOWN"
},
"title": "streamlit-geospatial blind SSRF in pages/7_\ud83d\udce6_Web_Map_Service.py"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41118",
"datePublished": "2024-07-26T20:52:46.182Z",
"dateReserved": "2024-07-15T15:53:28.322Z",
"dateUpdated": "2024-08-02T04:46:52.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41664 (GCVE-0-2024-41664)
Vulnerability from cvelistv5 – Published: 2024-07-23 16:59 – Updated: 2024-08-02 04:46
VLAI
Title
Blind SSRF via Canarytoken Webhook
Summary
Canarytokens help track activity and actions on a network. Prior to `sha-8ea5315`, Canarytokens.org was vulnerable to a blind SSRF in the Webhook alert feature. When a Canarytoken is created, users choose to receive alerts either via email or via a webhook. If a webhook is supplied when a Canarytoken is first created, the site will make a test request to the supplied URL to ensure it accepts alert notification HTTP requests. No safety checks were performed on the URL, leading to a Server-Side Request Forgery vulnerability. The SSRF is Blind because the content of the response is not displayed to the creating user; they are simply told whether an error occurred in making the test request. Using the Blind SSRF, it was possible to map out open ports for IPs inside the Canarytokens.org infrastructure. This issue is now patched on Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image, or any Docker image after `sha-097d91a`.
Severity
5.4 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/thinkst/canarytokens/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| thinkst | canarytokens |
Affected:
< sha-8ea5315
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41664",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T20:37:34.635384Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T20:37:43.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/thinkst/canarytokens/security/advisories/GHSA-g6h5-pf7p-qmvj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/thinkst/canarytokens/security/advisories/GHSA-g6h5-pf7p-qmvj"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "canarytokens",
"vendor": "thinkst",
"versions": [
{
"status": "affected",
"version": "\u003c sha-8ea5315"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Canarytokens help track activity and actions on a network. Prior to `sha-8ea5315`, Canarytokens.org was vulnerable to a blind SSRF in the Webhook alert feature. When a Canarytoken is created, users choose to receive alerts either via email or via a webhook. If a webhook is supplied when a Canarytoken is first created, the site will make a test request to the supplied URL to ensure it accepts alert notification HTTP requests. No safety checks were performed on the URL, leading to a Server-Side Request Forgery vulnerability. The SSRF is Blind because the content of the response is not displayed to the creating user; they are simply told whether an error occurred in making the test request. Using the Blind SSRF, it was possible to map out open ports for IPs inside the Canarytokens.org infrastructure. This issue is now patched on Canarytokens.org. Users of self-hosted Canarytokens installations can update by pulling the latest Docker image, or any Docker image after `sha-097d91a`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T16:59:59.755Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/thinkst/canarytokens/security/advisories/GHSA-g6h5-pf7p-qmvj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/thinkst/canarytokens/security/advisories/GHSA-g6h5-pf7p-qmvj"
}
],
"source": {
"advisory": "GHSA-g6h5-pf7p-qmvj",
"discovery": "UNKNOWN"
},
"title": "Blind SSRF via Canarytoken Webhook"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41664",
"datePublished": "2024-07-23T16:59:59.755Z",
"dateReserved": "2024-07-18T15:21:47.483Z",
"dateUpdated": "2024-08-02T04:46:52.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41668 (GCVE-0-2024-41668)
Vulnerability from cvelistv5 – Published: 2024-07-23 18:14 – Updated: 2024-08-02 04:46
VLAI
Title
cBioPortal Proxy Endpoint Vulnerabliity
Summary
The cBioPortal for Cancer Genomics provides visualization, analysis, and download of large-scale cancer genomics data sets. When running a publicly exposed proxy endpoint without authentication, cBioPortal could allow someone to perform a Server Side Request Forgery (SSRF) attack. Logged in users could do the same on private instances. A fix has been released in version 6.0.12. As a workaround, one might be able to disable `/proxy` endpoint entirely via, for example, nginx.
Severity
8.3 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/cBioPortal/cbioportal/security… | x_refsource_CONFIRM |
| https://github.com/cBioPortal/cbioportal/pull/10884 | x_refsource_MISC |
| https://github.com/cBioPortal/cbioportal/commit/e… | x_refsource_MISC |
| https://github.com/cBioPortal/cbioportal/releases… | x_refsource_MISC |
| https://www.wizlynxgroup.com/security-research-ad… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cBioPortal | cbioportal |
Affected:
< 6.0.12
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:cbioportal_project:cbioportal:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "cbioportal",
"vendor": "cbioportal_project",
"versions": [
{
"lessThan": "6.0.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41668",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-25T14:45:01.853051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T14:47:53.439Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.924Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/cBioPortal/cbioportal/security/advisories/GHSA-9h44-r3c3-q7rm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/cBioPortal/cbioportal/security/advisories/GHSA-9h44-r3c3-q7rm"
},
{
"name": "https://github.com/cBioPortal/cbioportal/pull/10884",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cBioPortal/cbioportal/pull/10884"
},
{
"name": "https://github.com/cBioPortal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cBioPortal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5"
},
{
"name": "https://github.com/cBioPortal/cbioportal/releases/tag/v6.0.12",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/cBioPortal/cbioportal/releases/tag/v6.0.12"
},
{
"name": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2024-004",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2024-004"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "cbioportal",
"vendor": "cBioPortal",
"versions": [
{
"status": "affected",
"version": "\u003c 6.0.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The cBioPortal for Cancer Genomics provides visualization, analysis, and download of large-scale cancer genomics data sets. When running a publicly exposed proxy endpoint without authentication, cBioPortal could allow someone to perform a Server Side Request Forgery (SSRF) attack. Logged in users could do the same on private instances. A fix has been released in version 6.0.12. As a workaround, one might be able to disable `/proxy` endpoint entirely via, for example, nginx."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T18:14:41.169Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/cBioPortal/cbioportal/security/advisories/GHSA-9h44-r3c3-q7rm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/cBioPortal/cbioportal/security/advisories/GHSA-9h44-r3c3-q7rm"
},
{
"name": "https://github.com/cBioPortal/cbioportal/pull/10884",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cBioPortal/cbioportal/pull/10884"
},
{
"name": "https://github.com/cBioPortal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cBioPortal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5"
},
{
"name": "https://github.com/cBioPortal/cbioportal/releases/tag/v6.0.12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/cBioPortal/cbioportal/releases/tag/v6.0.12"
},
{
"name": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2024-004",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2024-004"
}
],
"source": {
"advisory": "GHSA-9h44-r3c3-q7rm",
"discovery": "UNKNOWN"
},
"title": "cBioPortal Proxy Endpoint Vulnerabliity"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41668",
"datePublished": "2024-07-23T18:14:41.169Z",
"dateReserved": "2024-07-18T15:21:47.485Z",
"dateUpdated": "2024-08-02T04:46:52.924Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41737 (GCVE-0-2024-41737)
Vulnerability from cvelistv5 – Published: 2024-08-13 03:55 – Updated: 2024-08-14 16:43
VLAI
Title
Server-Side Request Forgery (SSRF) in SAP CRM ABAP (Insights Management)
Summary
SAP CRM ABAP (Insights
Management) allows an authenticated attacker to enumerate HTTP endpoints in the
internal network by specially crafting HTTP requests. On successful
exploitation this can result in information disclosure. It has no impact on
integrity and availability of the application.
Severity
5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | SAP CRM ABAP (Insights Management) |
Affected:
BBPCRM 700
Affected: 701 Affected: 702 Affected: 712 Affected: 713 Affected: 714 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41737",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-14T16:43:03.220645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T16:43:20.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SAP CRM ABAP (Insights Management)",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "BBPCRM 700"
},
{
"status": "affected",
"version": "701"
},
{
"status": "affected",
"version": "702"
},
{
"status": "affected",
"version": "712"
},
{
"status": "affected",
"version": "713"
},
{
"status": "affected",
"version": "714"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SAP CRM ABAP (Insights\nManagement) allows an authenticated attacker to enumerate HTTP endpoints in the\ninternal network by specially crafting HTTP requests. On successful\nexploitation this can result in information disclosure. It has no impact on\nintegrity and availability of the application."
}
],
"value": "SAP CRM ABAP (Insights\nManagement) allows an authenticated attacker to enumerate HTTP endpoints in the\ninternal network by specially crafting HTTP requests. On successful\nexploitation this can result in information disclosure. It has no impact on\nintegrity and availability of the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T03:55:04.128Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"url": "https://me.sap.com/notes/3487537"
},
{
"url": "https://url.sap/sapsecuritypatchday"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery (SSRF) in SAP CRM ABAP (Insights Management)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2024-41737",
"datePublished": "2024-08-13T03:55:04.128Z",
"dateReserved": "2024-07-22T08:06:52.677Z",
"dateUpdated": "2024-08-14T16:43:20.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41812 (GCVE-0-2024-41812)
Vulnerability from cvelistv5 – Published: 2024-07-26 16:49 – Updated: 2024-08-02 04:46
VLAI
Title
txtdot SSRF vulnerability in /get
Summary
txtdot is an HTTP proxy that parses only text, links, and pictures from pages, removing ads and heavy scripts. Prior to version 1.7.0, a Server-Side Request Forgery (SSRF) vulnerability in the `/get` route of txtdot allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network. Version 1.7.0 prevents displaying the response of forged requests, but the requests can still be sent. For complete mitigation, a firewall between txtdot and other internal network resources should be set.
Severity
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/TxtDot/txtdot/security/advisor… | x_refsource_CONFIRM |
| https://github.com/TxtDot/txtdot/commit/7c72d985f… | x_refsource_MISC |
| https://github.com/TxtDot/txtdot/blob/a7fdaf80fdf… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:txtdot:txtdot:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "txtdot",
"vendor": "txtdot",
"versions": [
{
"lessThan": "1.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41812",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T18:27:22.154248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T20:24:30.924Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.687Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/TxtDot/txtdot/security/advisories/GHSA-4gj5-xj97-j8fp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/TxtDot/txtdot/security/advisories/GHSA-4gj5-xj97-j8fp"
},
{
"name": "https://github.com/TxtDot/txtdot/commit/7c72d985f7a26ec1fd3cf628444717ca54986d2d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TxtDot/txtdot/commit/7c72d985f7a26ec1fd3cf628444717ca54986d2d"
},
{
"name": "https://github.com/TxtDot/txtdot/blob/a7fdaf80fdf45abefe83b2eb5135ba112142dc74/src/handlers/distributor.ts#L43-L47",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TxtDot/txtdot/blob/a7fdaf80fdf45abefe83b2eb5135ba112142dc74/src/handlers/distributor.ts#L43-L47"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "txtdot",
"vendor": "TxtDot",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "txtdot is an HTTP proxy that parses only text, links, and pictures from pages, removing ads and heavy scripts. Prior to version 1.7.0, a Server-Side Request Forgery (SSRF) vulnerability in the `/get` route of txtdot allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network. Version 1.7.0 prevents displaying the response of forged requests, but the requests can still be sent. For complete mitigation, a firewall between txtdot and other internal network resources should be set."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T16:49:52.343Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/TxtDot/txtdot/security/advisories/GHSA-4gj5-xj97-j8fp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TxtDot/txtdot/security/advisories/GHSA-4gj5-xj97-j8fp"
},
{
"name": "https://github.com/TxtDot/txtdot/commit/7c72d985f7a26ec1fd3cf628444717ca54986d2d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TxtDot/txtdot/commit/7c72d985f7a26ec1fd3cf628444717ca54986d2d"
},
{
"name": "https://github.com/TxtDot/txtdot/blob/a7fdaf80fdf45abefe83b2eb5135ba112142dc74/src/handlers/distributor.ts#L43-L47",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TxtDot/txtdot/blob/a7fdaf80fdf45abefe83b2eb5135ba112142dc74/src/handlers/distributor.ts#L43-L47"
}
],
"source": {
"advisory": "GHSA-4gj5-xj97-j8fp",
"discovery": "UNKNOWN"
},
"title": "txtdot SSRF vulnerability in /get"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41812",
"datePublished": "2024-07-26T16:49:52.343Z",
"dateReserved": "2024-07-22T13:57:37.136Z",
"dateUpdated": "2024-08-02T04:46:52.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41813 (GCVE-0-2024-41813)
Vulnerability from cvelistv5 – Published: 2024-07-26 16:51 – Updated: 2024-08-12 20:55
VLAI
Title
txtdot SSRF vulnerability in /proxy
Summary
txtdot is an HTTP proxy that parses only text, links, and pictures from pages, removing ads and heavy scripts. Starting in version 1.4.0 and prior to version 1.6.1, a Server-Side Request Forgery (SSRF) vulnerability in the `/proxy` route of txtdot allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network. Version 1.6.1 patches the issue.
Severity
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/TxtDot/txtdot/security/advisor… | x_refsource_CONFIRM |
| https://github.com/TxtDot/txtdot/commit/f241a46e0… | x_refsource_MISC |
| https://github.com/TxtDot/txtdot/blob/a7fdaf80fdf… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:txtdot:txtdot:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "txtdot",
"vendor": "txtdot",
"versions": [
{
"lessThan": "1.6.1",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41813",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T17:09:51.792043Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T20:55:12.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/TxtDot/txtdot/security/advisories/GHSA-4c78-229v-hf6m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/TxtDot/txtdot/security/advisories/GHSA-4c78-229v-hf6m"
},
{
"name": "https://github.com/TxtDot/txtdot/commit/f241a46e05b148a39b84bf956051b5aaa489949e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TxtDot/txtdot/commit/f241a46e05b148a39b84bf956051b5aaa489949e"
},
{
"name": "https://github.com/TxtDot/txtdot/blob/a7fdaf80fdf45abefe83b2eb5135ba112142dc74/src/handlers/distributor.ts#L43-L47",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/TxtDot/txtdot/blob/a7fdaf80fdf45abefe83b2eb5135ba112142dc74/src/handlers/distributor.ts#L43-L47"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "txtdot",
"vendor": "TxtDot",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.4.0, \u003c 1.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "txtdot is an HTTP proxy that parses only text, links, and pictures from pages, removing ads and heavy scripts. Starting in version 1.4.0 and prior to version 1.6.1, a Server-Side Request Forgery (SSRF) vulnerability in the `/proxy` route of txtdot allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network. Version 1.6.1 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T16:51:33.606Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/TxtDot/txtdot/security/advisories/GHSA-4c78-229v-hf6m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TxtDot/txtdot/security/advisories/GHSA-4c78-229v-hf6m"
},
{
"name": "https://github.com/TxtDot/txtdot/commit/f241a46e05b148a39b84bf956051b5aaa489949e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TxtDot/txtdot/commit/f241a46e05b148a39b84bf956051b5aaa489949e"
},
{
"name": "https://github.com/TxtDot/txtdot/blob/a7fdaf80fdf45abefe83b2eb5135ba112142dc74/src/handlers/distributor.ts#L43-L47",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TxtDot/txtdot/blob/a7fdaf80fdf45abefe83b2eb5135ba112142dc74/src/handlers/distributor.ts#L43-L47"
}
],
"source": {
"advisory": "GHSA-4c78-229v-hf6m",
"discovery": "UNKNOWN"
},
"title": "txtdot SSRF vulnerability in /proxy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41813",
"datePublished": "2024-07-26T16:51:33.606Z",
"dateReserved": "2024-07-22T13:57:37.137Z",
"dateUpdated": "2024-08-12T20:55:12.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42182 (GCVE-0-2024-42182)
Vulnerability from cvelistv5 – Published: 2025-01-23 01:05 – Updated: 2025-01-23 14:54
VLAI
Title
HCL BigFix Patch Download Plug-ins are affected by Server-Side Request Forgery (SSRF) vulnerability
Summary
BigFix Patch Download Plug-ins are affected by Server-Side Request Forgery (SSRF) vulnerability. It may allow the application to download files from an internally hosted server on localhost.
Severity
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| HCL Software | BigFix Patch Management Download Plug-ins |
Affected:
1177 and below
|
Date Public
2025-01-21 20:08
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42182",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T14:54:17.351538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T14:54:26.538Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BigFix Patch Management Download Plug-ins",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "1177 and below"
}
]
}
],
"datePublic": "2025-01-21T20:08:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBigFix Patch Download Plug-ins are affected by Server-Side Request Forgery (SSRF) vulnerability. It may allow the application to download files from an internally hosted server on localhost.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "BigFix Patch Download Plug-ins are affected by Server-Side Request Forgery (SSRF) vulnerability. It may allow the application to download files from an internally hosted server on localhost."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T01:06:22.481Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0118565"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL BigFix Patch Download Plug-ins are affected by Server-Side Request Forgery (SSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2024-42182",
"datePublished": "2025-01-23T01:05:52.350Z",
"dateReserved": "2024-07-29T21:32:05.157Z",
"dateUpdated": "2025-01-23T14:54:26.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4219 (GCVE-0-2024-4219)
Vulnerability from cvelistv5 – Published: 2024-06-04 20:08 – Updated: 2024-08-01 20:33
VLAI
Title
SSRF In BeyondInsight
Summary
Prior to 23.2, it is possible to perform arbitrary Server-Side requests via HTTP-based connectors within BeyondInsight, resulting in a server-side request forgery vulnerability.
Severity
4.8 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| BeyondTrust | BeyondInsight |
Affected:
0 , < 23.2
(custom)
|
Date Public
2024-06-04 19:38
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4219",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T14:07:47.780311Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:58.476Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:52.999Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.beyondtrust.com/trust-center/security-advisories/BT24-05"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"64 bit",
"32 bit"
],
"product": "BeyondInsight",
"vendor": "BeyondTrust",
"versions": [
{
"lessThan": "23.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Paolo Caminati"
},
{
"lang": "en",
"type": "finder",
"value": "Daniele Montanaro"
}
],
"datePublic": "2024-06-04T19:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nPrior to 23.2, it is possible to perform arbitrary Server-Side requests via HTTP-based connectors within BeyondInsight, resulting in a server-side request forgery vulnerability.\n\n\u003cp\u003e\u003c/p\u003e"
}
],
"value": "Prior to 23.2, it is possible to perform arbitrary Server-Side requests via HTTP-based connectors within BeyondInsight, resulting in a server-side request forgery vulnerability."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-664 Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T20:13:33.046Z",
"orgId": "13061848-ea10-403d-bd75-c83a022c2891",
"shortName": "BT"
},
"references": [
{
"url": "https://www.beyondtrust.com/trust-center/security-advisories/BT24-05"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SSRF In BeyondInsight",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "13061848-ea10-403d-bd75-c83a022c2891",
"assignerShortName": "BT",
"cveId": "CVE-2024-4219",
"datePublished": "2024-06-04T20:08:29.514Z",
"dateReserved": "2024-04-25T21:45:38.683Z",
"dateUpdated": "2024-08-01T20:33:52.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42352 (GCVE-0-2024-42352)
Vulnerability from cvelistv5 – Published: 2024-08-05 20:38 – Updated: 2024-08-06 15:25
VLAI
Title
Server-Side Request Forgery (SSRF) in nuxt-icon
Summary
Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. `nuxt/icon` provides an API to allow client side icon lookup. This endpoint is at `/api/_nuxt_icon/[name]`. The proxied request path is improperly parsed, allowing an attacker to change the scheme and host of the request. This leads to SSRF, and could potentially lead to sensitive data exposure. The `new URL` constructor is used to parse the final path. This constructor can be passed a relative scheme or path in order to change the host the request is sent to. This constructor is also very tolerant of poorly formatted URLs. As a result we can pass a path prefixed with the string `http:`. This has the effect of changing the scheme to HTTP. We can then subsequently pass a new host, for example `http:127.0.0.1:8080`. This would allow us to send requests to a local server. This issue has been addressed in release version 1.4.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
8.6 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/nuxt/icon/security/advisories/… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:nuxt:icon:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "icon",
"vendor": "nuxt",
"versions": [
{
"lessThan": "1.4.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42352",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T15:19:46.203842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T15:25:44.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "icon",
"vendor": "nuxt",
"versions": [
{
"status": "affected",
"version": "\u003c 1.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. `nuxt/icon` provides an API to allow client side icon lookup. This endpoint is at `/api/_nuxt_icon/[name]`. The proxied request path is improperly parsed, allowing an attacker to change the scheme and host of the request. This leads to SSRF, and could potentially lead to sensitive data exposure. The `new URL` constructor is used to parse the final path. This constructor can be passed a relative scheme or path in order to change the host the request is sent to. This constructor is also very tolerant of poorly formatted URLs. As a result we can pass a path prefixed with the string `http:`. This has the effect of changing the scheme to HTTP. We can then subsequently pass a new host, for example `http:127.0.0.1:8080`. This would allow us to send requests to a local server. This issue has been addressed in release version 1.4.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:38:08.419Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nuxt/icon/security/advisories/GHSA-cxgv-px37-4mp2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nuxt/icon/security/advisories/GHSA-cxgv-px37-4mp2"
}
],
"source": {
"advisory": "GHSA-cxgv-px37-4mp2",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery (SSRF) in nuxt-icon"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42352",
"datePublished": "2024-08-05T20:38:08.419Z",
"dateReserved": "2024-07-30T14:01:33.922Z",
"dateUpdated": "2024-08-06T15:25:44.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42467 (GCVE-0-2024-42467)
Vulnerability from cvelistv5 – Published: 2024-08-09 18:06 – Updated: 2024-08-12 17:34
VLAI
Title
CometVisu Backend for openHAB affected by SSRF/XSS
Summary
openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Prior to version 4.2.1, the proxy endpoint of openHAB's CometVisu add-on can be accessed without authentication. This proxy-feature can be exploited as Server-Side Request Forgery (SSRF) to induce GET HTTP requests to internal-only servers, in case openHAB is exposed in a non-private network. Furthermore, this proxy-feature can also be exploited as a Cross-Site Scripting (XSS) vulnerability, as an attacker is able to re-route a request to their server and return a page with malicious JavaScript code. Since the browser receives this data directly from the openHAB CometVisu UI, this JavaScript code will be executed with the origin of the CometVisu UI. This allows an attacker to exploit call endpoints on an openHAB server even if the openHAB server is located in a private network. (e.g. by sending an openHAB admin a link that proxies malicious JavaScript.) This issue may lead up to Remote Code Execution (RCE) when chained with other vulnerabilities. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch.
Severity
10 (Critical)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openhab/openhab-webui/security… | x_refsource_CONFIRM |
| https://github.com/openhab/openhab-webui/commit/6… | x_refsource_MISC |
| https://github.com/openhab/openhab-webui/blob/1c0… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| openhab | openhab-webui |
Affected:
< 4.2.1
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:openhab:openhab_webui:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openhab_webui",
"vendor": "openhab",
"versions": [
{
"lessThan": "4.2.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-42467",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-12T15:04:09.931539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T17:34:04.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openhab-webui",
"vendor": "openhab",
"versions": [
{
"status": "affected",
"version": "\u003c 4.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Prior to version 4.2.1, the proxy endpoint of openHAB\u0027s CometVisu add-on can be accessed without authentication. This proxy-feature can be exploited as Server-Side Request Forgery (SSRF) to induce GET HTTP requests to internal-only servers, in case openHAB is exposed in a non-private network. Furthermore, this proxy-feature can also be exploited as a Cross-Site Scripting (XSS) vulnerability, as an attacker is able to re-route a request to their server and return a page with malicious JavaScript code. Since the browser receives this data directly from the openHAB CometVisu UI, this JavaScript code will be executed with the origin of the CometVisu UI. This allows an attacker to exploit call endpoints on an openHAB server even if the openHAB server is located in a private network. (e.g. by sending an openHAB admin a link that proxies malicious JavaScript.) This issue may lead up to Remote Code Execution (RCE) when chained with other vulnerabilities. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T18:06:34.059Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openhab/openhab-webui/security/advisories/GHSA-v7gr-mqpj-wwh3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openhab/openhab-webui/security/advisories/GHSA-v7gr-mqpj-wwh3"
},
{
"name": "https://github.com/openhab/openhab-webui/commit/630e8525835c698cf58856aa43782d92b18087f2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openhab/openhab-webui/commit/630e8525835c698cf58856aa43782d92b18087f2"
},
{
"name": "https://github.com/openhab/openhab-webui/blob/1c03c60f84388b9d7da0231df2d4ebb1e17d3fcf/bundles/org.openhab.ui.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/backend/rest/ProxyResource.java#L83",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openhab/openhab-webui/blob/1c03c60f84388b9d7da0231df2d4ebb1e17d3fcf/bundles/org.openhab.ui.cometvisu/src/main/java/org/openhab/ui/cometvisu/internal/backend/rest/ProxyResource.java#L83"
}
],
"source": {
"advisory": "GHSA-v7gr-mqpj-wwh3",
"discovery": "UNKNOWN"
},
"title": "CometVisu Backend for openHAB affected by SSRF/XSS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-42467",
"datePublished": "2024-08-09T18:06:34.059Z",
"dateReserved": "2024-08-02T14:13:04.614Z",
"dateUpdated": "2024-08-12T17:34:04.341Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.