CVE-2021-22970

Vulnerability

The concrete5 CMS (now Concrete CMS) versions 8.5.6 and below, and version 9.0.0, contain a vulnerability in the local IP importing functionality. The system does not properly filter or validate imported IP addresses, allowing an attacker to perform Server-Side Request Forgery (SSRF) attacks against private LAN servers. Additionally, the SSRF mitigation can be bypassed through DNS rebinding. This issue is tracked as CVE-2021-22970 and was reported via HackerOne [1].

Exploitation

An attacker with local user privileges (required for importing) can craft requests that cause the server to read files from the local LAN or interact with internal network services. The attack leverages the import feature to send requests to arbitrary internal IP addresses, potentially bypassing SSRF protections via DNS rebinding [1]. The CVSS vector (AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N) indicates relatively high complexity but requires only low privileges and no user interaction [1].

Impact

Successful exploitation results in the attacker being able to read files from the private LAN and potentially exploit other local network applications. The scope is changed (impacting resources beyond the original vulnerable component), but confidentiality impact is limited (low) with no impact on integrity or availability [1].

Mitigation

Concrete CMS released version 8.5.7 with security fixes for this issue (along with CVE-2021-22966 and others) [2]. Version 9.0.1 also addresses the vulnerability [3]. Users should upgrade to Concrete CMS 8.5.7 or later, or 9.0.1 or later. Concrete CMS will maintain security fixes for the 8.5.x branch until 1 May 2022 [1]. No workaround is documented beyond upgrading.