CVE-2021-22969
Description
Concrete CMS below 8.5.7 is vulnerable to SSRF via DNS rebind, allowing attackers to retrieve cloud IAM keys.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concrete CMS below 8.5.7 is vulnerable to SSRF via DNS rebind, allowing attackers to retrieve cloud IAM keys.
Vulnerability
Concrete CMS (formerly concrete5) versions below 8.5.7 contain a server-side request forgery (SSRF) mitigation bypass that can be exploited using a DNS rebind attack [1]. The vulnerability exists in the remote download functionality, where the application initially validates a hostname but then re-resolves it after validation, allowing an attacker to redirect the request to a local network address. This enables fetching cloud infrastructure (e.g., AWS) Instance Metadata Service (IMDS) endpoints to retrieve IAM keys. The fix in version 8.5.7 disallows downloads from the local network and specifies the validated IP address when downloading rather than relying on DNS [2].
Exploitation
An attacker with low privileges (CVSS 3.1: PR:L) and no user interaction (UI:N) can exploit this vulnerability, though the attack complexity is high (AC:H) due to the need for a DNS rebind attack [1]. The attacker must control a domain that initially resolves to a benign IP, then after the application's validation, switches to a local IP (e.g., 169.254.169.254 for AWS). The attacker triggers a download request from the Concrete CMS instance, which follows the DNS change and fetches cloud metadata, returning the IAM keys to the attacker.
Impact
Successful exploitation allows an attacker to retrieve cloud IAM keys from the hosting environment, leading to unauthorized access to cloud resources and potential information disclosure. The CVSS 3.1 score is 3.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N), indicating low confidentiality impact but a changed scope [1]. Note that cloud provider misconfigurations (e.g., IMDS not properly secured) are not considered vulnerabilities in Concrete CMS itself [1].
Mitigation
Upgrade to Concrete CMS version 8.5.7 or 9.0.0, which contain the fix [1][2]. As a workaround, ensure that cloud IMDS configurations follow the provider's best practices (e.g., using IMDSv2 with session tokens on AWS) to limit the impact even if the SSRF is exploited [1]. No known exploitation in the wild or KEV listing has been reported at the time of publication.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/corePackagist | < 8.5.7 | 8.5.7 |
Affected products
2- Concrete CMS/Concrete CMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-mcxr-fx5f-96qqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22969ghsaADVISORY
- documentation.concretecms.org/developers/introduction/version-history/857-release-notesghsax_refsource_MISCWEB
- hackerone.com/reports/1369312ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.