CWE-918
AllowedServer-Side Request Forgery (SSRF)
Abstraction: Base · Status: Incomplete
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
4650 vulnerabilities reference this CWE, most recent first.
GHSA-5J74-V2XH-7CPV
Vulnerability from github – Published: 2026-07-15 00:31 – Updated: 2026-07-15 00:31CAI Content Credentials is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
{
"affected": [],
"aliases": [
"CVE-2026-48290"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T22:17:00Z",
"severity": "HIGH"
},
"details": "CAI Content Credentials is affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim\u0027s account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.",
"id": "GHSA-5j74-v2xh-7cpv",
"modified": "2026-07-15T00:31:42Z",
"published": "2026-07-15T00:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48290"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-80.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5J8C-469M-FQ24
Vulnerability from github – Published: 2024-07-31 09:30 – Updated: 2025-02-07 18:31A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. This issue only affects GravityZone Console versions before 6.38.1-5 running only on premise.
{
"affected": [],
"aliases": [
"CVE-2024-6980"
],
"database_specific": {
"cwe_ids": [
"CWE-209",
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-31T07:15:02Z",
"severity": "CRITICAL"
},
"details": "A verbose error handling issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery.\u00a0This issue only affects GravityZone Console versions before 6.38.1-5\u00a0running only on premise.",
"id": "GHSA-5j8c-469m-fq24",
"modified": "2025-02-07T18:31:16Z",
"published": "2024-07-31T09:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6980"
},
{
"type": "WEB",
"url": "https://www.bitdefender.com/consumer/support/support/security-advisories/verbose-error-handling-issue-in-gravityzone-update-server-proxy-service"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-5JCF-C5RG-RMM8
Vulnerability from github – Published: 2018-01-22 13:31 – Updated: 2023-01-26 20:24Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "paperclip"
},
"ranges": [
{
"events": [
{
"introduced": "3.1.4"
},
{
"fixed": "5.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-0889"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:16:31Z",
"nvd_published_at": "2017-11-13T17:29:00Z",
"severity": "CRITICAL"
},
"details": "Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the `Paperclip::UriAdapter` class. Attackers may be able to access information about internal network resources.",
"id": "GHSA-5jcf-c5rg-rmm8",
"modified": "2023-01-26T20:24:38Z",
"published": "2018-01-22T13:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0889"
},
{
"type": "WEB",
"url": "https://github.com/thoughtbot/paperclip/pull/2435"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/209430"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/713"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/paperclip/CVE-2017-0889.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/thoughtbot/paperclip"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "paperclip Server-Side Request Forgery vulnerability"
}
GHSA-5JG7-JG3H-568W
Vulnerability from github – Published: 2025-02-27 09:31 – Updated: 2025-03-11 18:32The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.16.8 via the 'download' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
{
"affected": [],
"aliases": [
"CVE-2024-13907"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T07:15:33Z",
"severity": "MODERATE"
},
"details": "The Total Upkeep \u2013 WordPress Backup Plugin plus Restore \u0026 Migrate by BoldGrid plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.16.8 via the \u0027download\u0027 function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.",
"id": "GHSA-5jg7-jg3h-568w",
"modified": "2025-03-11T18:32:09Z",
"published": "2025-02-27T09:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13907"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/boldgrid-backup/trunk/includes/class-boldgrid-backup-archive-fetcher.php#L141"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3246655"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21da92d2-c38d-4a12-b850-bd0b580aaa54?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5JH9-2H63-PW4Q
Vulnerability from github – Published: 2026-05-29 20:21 – Updated: 2026-05-29 20:21Summary
CC-Tweaked's HTTP API (http.request, http.websocket) blocks requests to private network ranges to prevent server-side request forgery (SSRF). This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses (64:ff9b::/96). An attacker who can execute Lua code can reach any internal IPv4 service that the filter is intended to block, by addressing it as http://[64:ff9b::<ipv4-as-hex>]/ instead of its direct IPv4 address. This affects any CC-Tweaked deployment on a network with NAT64 routing — a configuration that is standard on AWS, GCP, and other cloud platforms when using IPv6-only subnets.
Details
The IP filter in PrivatePattern.matches() (AddressPredicate.java#L121–L130) blocks private network ranges by calling Java's standard InetAddress classification methods:
public boolean matches(InetAddress socketAddress) {
return socketAddress.isAnyLocalAddress()
|| socketAddress.isLoopbackAddress()
|| socketAddress.isLinkLocalAddress()
|| socketAddress.isSiteLocalAddress()
|| socketAddress.isMulticastAddress()
|| isUniqueLocalAddress(socketAddress)
|| isCarrierGradeNatAddress(socketAddress)
|| additionalAddresses.contains(socketAddress);
}
When a NAT64 address such as 64:ff9b::c0a8:0101 (encoding 192.168.1.1) is resolved via new InetSocketAddress("64:ff9b::c0a8:0101", 80), Java returns an Inet6Address. Every method above returns false for this address — the 64:ff9b::/96 prefix is not recognised by any of Java's built-in classification methods. The address passes the filter and CC-Tweaked opens a connection.
On a network with a 64:ff9b::/96 → NAT Gateway route, that connection is translated at the network level: the embedded IPv4 address is extracted and the packet is forwarded to 192.168.1.1:80. The internal service receives a normal IPv4 TCP connection.
The existing 6to4 (2002::/16) mitigation in AddressRule.java#L74–L75 does not cover the NAT64 prefix. No other check catches 64:ff9b::/96.
PoC
Preconditions (all three required):
1. The server running CC-Tweaked has an IPv6 address assigned
2. The network has a NAT Gateway (or equivalent)
3. The route table contains 64:ff9b::/96 → NAT Gateway — the standard AWS/GCP configuration for IPv6-only subnets with outbound IPv4 access (AWS documentation)
Lua payload (targets an internal service at 10.0.1.17:8888):
-- 10.0.1.17 = 0x0a000111, expressed as NAT64: 64:ff9b::0a00:0111
local res = http.request("http://[64:ff9b::0a00:0111]:8888/")
if res then print(res.readAll()) end
Conversion formula — for any blocked IPv4 a.b.c.d, the bypass address is:
64:ff9b::<hex(a)><hex(b)>:<hex(c)><hex(d)>
Impact
This is a server-side request forgery (SSRF) vulnerability. Any user able to execute Lua code on a CC-Tweaked computer — including players on a public server — can use it to send HTTP requests to internal IPv4 services that the HTTP filter is designed to block. On cloud-hosted servers (AWS, GCP, Azure) using IPv6-only subnets with NAT64, which is an increasingly common configuration following AWS's February 2024 public IPv4 pricing change, this includes other instances in the VPC, internal databases, and cloud management APIs.
Suggested fix: add a check for the NAT64 well-known prefix in PrivatePattern.matches():
|| isNAT64Address(socketAddress)
private boolean isNAT64Address(InetAddress address) {
if (!(address instanceof Inet6Address)) return false;
byte[] b = address.getAddress();
// 64:ff9b::/96 — NAT64 well-known prefix (RFC 6052)
return b[0] == 0x00 && b[1] == 0x64 &&
b[2] == (byte) 0xff && b[3] == (byte) 0x9b &&
b[4] == 0 && b[5] == 0 && b[6] == 0 && b[7] == 0 &&
b[8] == 0 && b[9] == 0 && b[10] == 0 && b[11] == 0;
}
This vulnerability does not seem to work on servers running on modern versions of MacOS.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "cc.tweaked:cc-tweaked-1.21-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.119.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "cc.tweaked:cc-tweaked-1.20.1-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.119.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "cc.tweaked:cc-tweaked-1.20.4-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.119.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "cc.tweaked:cc-tweaked-1.20.5-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.119.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "cc.tweaked:cc-tweaked-1.20.6-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.119.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "cc.tweaked:cc-tweaked-1.19.3-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.119.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "cc.tweaked:cc-tweaked-1.19.4-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.119.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "cc.tweaked:cc-tweaked-1.20-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.119.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47695"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T20:21:12Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nCC-Tweaked\u0027s HTTP API (`http.request`, `http.websocket`) blocks requests to private network ranges to prevent server-side request forgery (SSRF). This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses (`64:ff9b::/96`). An attacker who can execute Lua code can reach any internal IPv4 service that the filter is intended to block, by addressing it as `http://[64:ff9b::\u003cipv4-as-hex\u003e]/` instead of its direct IPv4 address. This affects any CC-Tweaked deployment on a network with NAT64 routing \u2014 a configuration that is standard on AWS, GCP, and other cloud platforms when using IPv6-only subnets.\n\n### Details\n\nThe IP filter in [`PrivatePattern.matches()` (AddressPredicate.java#L121\u2013L130)](https://github.com/cc-tweaked/CC-Tweaked/blob/663ffed4337da0dc3d82ace1e813e3c78b4a8c99/projects/core/src/main/java/dan200/computercraft/core/apis/http/options/AddressPredicate.java#L121-L130) blocks private network ranges by calling Java\u0027s standard `InetAddress` classification methods:\n\n```java\npublic boolean matches(InetAddress socketAddress) {\n return socketAddress.isAnyLocalAddress()\n || socketAddress.isLoopbackAddress()\n || socketAddress.isLinkLocalAddress()\n || socketAddress.isSiteLocalAddress()\n || socketAddress.isMulticastAddress()\n || isUniqueLocalAddress(socketAddress)\n || isCarrierGradeNatAddress(socketAddress)\n || additionalAddresses.contains(socketAddress);\n}\n```\n\nWhen a NAT64 address such as `64:ff9b::c0a8:0101` (encoding `192.168.1.1`) is resolved via `new InetSocketAddress(\"64:ff9b::c0a8:0101\", 80)`, Java returns an `Inet6Address`. Every method above returns `false` for this address \u2014 the `64:ff9b::/96` prefix is not recognised by any of Java\u0027s built-in classification methods. The address passes the filter and CC-Tweaked opens a connection.\n\nOn a network with a `64:ff9b::/96 \u2192 NAT Gateway` route, that connection is translated at the network level: the embedded IPv4 address is extracted and the packet is forwarded to `192.168.1.1:80`. The internal service receives a normal IPv4 TCP connection.\n\nThe existing 6to4 (`2002::/16`) mitigation in [`AddressRule.java#L74\u2013L75`](https://github.com/cc-tweaked/CC-Tweaked/blob/663ffed4337da0dc3d82ace1e813e3c78b4a8c99/projects/core/src/main/java/dan200/computercraft/core/apis/http/options/AddressRule.java#L74-L75) does not cover the NAT64 prefix. No other check catches `64:ff9b::/96`.\n\n### PoC\n\n**Preconditions** (all three required):\n1. The server running CC-Tweaked has an IPv6 address assigned\n2. The network has a NAT Gateway (or equivalent)\n3. The route table contains `64:ff9b::/96 \u2192 NAT Gateway` \u2014 the standard AWS/GCP configuration for IPv6-only subnets with outbound IPv4 access ([AWS documentation](https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-nat64-dns64.html))\n\n**Lua payload** (targets an internal service at `10.0.1.17:8888`):\n```lua\n-- 10.0.1.17 = 0x0a000111, expressed as NAT64: 64:ff9b::0a00:0111\nlocal res = http.request(\"http://[64:ff9b::0a00:0111]:8888/\")\nif res then print(res.readAll()) end\n```\n\n**Conversion formula** \u2014 for any blocked IPv4 `a.b.c.d`, the bypass address is:\n```\n64:ff9b::\u003chex(a)\u003e\u003chex(b)\u003e:\u003chex(c)\u003e\u003chex(d)\u003e\n```\n\n### Impact\n\nThis is a server-side request forgery (SSRF) vulnerability. Any user able to execute Lua code on a CC-Tweaked computer \u2014 including players on a public server \u2014 can use it to send HTTP requests to internal IPv4 services that the HTTP filter is designed to block. On cloud-hosted servers (AWS, GCP, Azure) using IPv6-only subnets with NAT64, which is an [increasingly common configuration following AWS\u0027s February 2024 public IPv4 pricing change](https://aws.amazon.com/blogs/aws/new-aws-public-ipv4-address-charge-public-ip-insights/), this includes other instances in the VPC, internal databases, and cloud management APIs.\n\n**Suggested fix:** add a check for the NAT64 well-known prefix in [`PrivatePattern.matches()`](https://github.com/cc-tweaked/CC-Tweaked/blob/663ffed4337da0dc3d82ace1e813e3c78b4a8c99/projects/core/src/main/java/dan200/computercraft/core/apis/http/options/AddressPredicate.java#L121-L130):\n\n```java\n|| isNAT64Address(socketAddress)\n\nprivate boolean isNAT64Address(InetAddress address) {\n if (!(address instanceof Inet6Address)) return false;\n byte[] b = address.getAddress();\n // 64:ff9b::/96 \u2014 NAT64 well-known prefix (RFC 6052)\n return b[0] == 0x00 \u0026\u0026 b[1] == 0x64 \u0026\u0026\n b[2] == (byte) 0xff \u0026\u0026 b[3] == (byte) 0x9b \u0026\u0026\n b[4] == 0 \u0026\u0026 b[5] == 0 \u0026\u0026 b[6] == 0 \u0026\u0026 b[7] == 0 \u0026\u0026\n b[8] == 0 \u0026\u0026 b[9] == 0 \u0026\u0026 b[10] == 0 \u0026\u0026 b[11] == 0;\n}\n```\n\nThis vulnerability does not seem to work on servers running on modern versions of MacOS.",
"id": "GHSA-5jh9-2h63-pw4q",
"modified": "2026-05-29T20:21:12Z",
"published": "2026-05-29T20:21:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/cc-tweaked/CC-Tweaked/security/advisories/GHSA-5jh9-2h63-pw4q"
},
{
"type": "PACKAGE",
"url": "https://github.com/cc-tweaked/CC-Tweaked"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "CC-Tweaked has an SSRF Protection Bypass with NAT64"
}
GHSA-5JJ7-GJCQ-HRC8
Vulnerability from github – Published: 2024-05-15 03:30 – Updated: 2024-05-15 03:30ITPison OMICARD EDM fails to properly filter specific URL parameter, allowing unauthenticated remote attackers to modify the parameters and conduct Server-Side Request Forgery (SSRF) attacks. This vulnerability enables attackers to probe internal network information.
{
"affected": [],
"aliases": [
"CVE-2024-4894"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-15T03:15:14Z",
"severity": "MODERATE"
},
"details": "ITPison OMICARD EDM fails to properly filter specific URL parameter, allowing unauthenticated remote attackers to modify the parameters and conduct Server-Side Request Forgery (SSRF) attacks. This vulnerability enables attackers to probe internal network information.",
"id": "GHSA-5jj7-gjcq-hrc8",
"modified": "2024-05-15T03:30:45Z",
"published": "2024-05-15T03:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4894"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/en/cp-139-7803-c0f73-2.html"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-7802-18f3c-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5JM5-RWHX-QV75
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password.
{
"affected": [],
"aliases": [
"CVE-2021-41586"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-24T15:15:00Z",
"severity": "HIGH"
},
"details": "In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password.",
"id": "GHSA-5jm5-rwhx-qv75",
"modified": "2022-05-24T19:15:42Z",
"published": "2022-05-24T19:15:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41586"
},
{
"type": "WEB",
"url": "https://security.gradle.com/advisory/2021-05"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5JQ6-2984-JH3P
Vulnerability from github – Published: 2024-11-08 18:30 – Updated: 2024-11-08 21:33Northern.tech Mender before 3.6.6 and 3.7.x before 3.7.7 allows SSRF.
{
"affected": [],
"aliases": [
"CVE-2024-46947"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-08T16:15:23Z",
"severity": "MODERATE"
},
"details": "Northern.tech Mender before 3.6.6 and 3.7.x before 3.7.7 allows SSRF.",
"id": "GHSA-5jq6-2984-jh3p",
"modified": "2024-11-08T21:33:57Z",
"published": "2024-11-08T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46947"
},
{
"type": "WEB",
"url": "https://mender.io/blog/cve-2024-46947-cve-2024-47190-ssrf-issues-in-mender-enterprise-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5M2C-33C5-MHVP
Vulnerability from github – Published: 2022-06-29 00:00 – Updated: 2022-07-09 00:00A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1. This issue affects some unknown processing of the component Compose Message Handler. The manipulation of the argument upload_url leads to server-side request forgery. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2017-20106"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-28T07:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1. This issue affects some unknown processing of the component Compose Message Handler. The manipulation of the argument upload_url leads to server-side request forgery. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-5m2c-33c5-mhvp",
"modified": "2022-07-09T00:00:28Z",
"published": "2022-06-29T00:00:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20106"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.97265"
},
{
"type": "WEB",
"url": "https://www.vulnerability-lab.com/get_content.php?id=2030"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5M3J-PXH7-455P
Vulnerability from github – Published: 2024-07-19 09:32 – Updated: 2025-04-04 15:15A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cxf:cxf-rt-rs-service-description"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cxf:cxf-rt-rs-service-description"
},
"ranges": [
{
"events": [
{
"introduced": "3.6.0"
},
{
"fixed": "3.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.cxf:cxf-rt-rs-service-description"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-29736"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-19T18:34:43Z",
"nvd_published_at": "2024-07-19T09:15:04Z",
"severity": "HIGH"
},
"details": "A SSRF vulnerability in WADL service description in versions of Apache CXF before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform SSRF style attacks on REST webservices. The attack only applies if a custom stylesheet parameter is configured.",
"id": "GHSA-5m3j-pxh7-455p",
"modified": "2025-04-04T15:15:10Z",
"published": "2024-07-19T09:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29736"
},
{
"type": "WEB",
"url": "https://github.com/apache/cxf/commit/378afe1acb7503315bc63555c8743db0f55d8312"
},
{
"type": "WEB",
"url": "https://github.com/apache/cxf/commit/bafb0cadf723fc3962031c34f1f20dc0e8b7a36b"
},
{
"type": "WEB",
"url": "https://github.com/apache/cxf/commit/df2241c59481a57aebb1c0693b778a35baaf5570"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/cxf"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/4jtpsswn2r6xommol54p5mg263ysgdw2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache CXF: SSRF vulnerability via WADL stylesheet parameter"
}
No mitigation information available for this CWE.
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.