Unrated severityNVD Advisory· Published Sep 21, 2020· Updated Aug 4, 2024
CVE-2020-16171
CVE-2020-16171
Description
An issue was discovered in Acronis Cyber Backup before 12.5 Build 16342. Some API endpoints on port 9877 under /api/ams/ accept an additional custom Shard header. The value of this header is afterwards used in a separate web request issued by the application itself. This can be abused to conduct SSRF attacks against otherwise unreachable Acronis services that are bound to localhost such as the NotificationService on 127.0.0.1:30572.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Acronis/Cyber Backupdescription
- Range: <12.5 Build 16342
Patches
Vulnerability mechanics
References
2- seclists.org/fulldisclosure/2020/Sep/33mitrex_refsource_MISC
- www.rcesecurity.com/2020/09/CVE-2020-16171-Exploiting-Acronis-Cyber-Backup-for-Fun-and-Emails/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.