CWE-918
Server-Side Request Forgery (SSRF)
Description
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-664
CVEs mapped to this weakness (1,583)
page 35 of 80| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-27201 | Med | 0.42 | 6.5 | 0.01 | Mar 15, 2022 | Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file… | ||
| CVE-2022-24980 | — | Hig | 0.42 | 7.5 | 0.01 | Feb 19, 2022 | An issue was discovered in the Kitodo.Presentation (aka dif) extension before 2.3.2, 3.x before 3.2.3, and 3.3.x before 3.3.4 for TYPO3. A missing access check in an eID script allows an unauthenticated user to submit arbitrary URLs to this component. This results in SSRF,… | |
| CVE-2022-23206 | Hig | 0.42 | 7.5 | 0.02 | Feb 6, 2022 | In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach. | ||
| CVE-2021-33571 | — | Hig | 0.42 | 7.5 | 0.03 | Jun 8, 2021 | In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses.… | |
| CVE-2021-31779 | — | Med | 0.42 | 6.4 | 0.00 | Apr 28, 2021 | The yoast_seo (aka Yoast SEO) extension before 7.2.1 for TYPO3 allows SSRF via a backend user account. | |
| CVE-2021-22696 | Hig | 0.42 | 7.5 | 0.07 | Apr 2, 2021 | CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also… | ||
| CVE-2020-28463 | — | Med | 0.42 | 6.5 | 0.01 | Feb 18, 2021 | All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of… | |
| CVE-2019-17400 | — | Hig | 0.42 | 7.5 | 0.02 | Oct 21, 2019 | The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion. | |
| CVE-2019-6970 | Hig | 0.42 | 7.5 | 0.01 | Mar 21, 2019 | Moodle 3.5.x before 3.5.4 allows SSRF. | ||
| CVE-2018-1000421 | Med | 0.42 | 6.5 | 0.01 | Jan 9, 2019 | An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained… | ||
| CVE-2018-9920 | — | Med | 0.42 | 6.5 | 0.01 | May 24, 2018 | Server side request forgery exists in the runtime application in K2 smartforms 4.6.11 via a modified hostname in an https://*/Identity/STS/Forms/Scripts URL. | |
| CVE-2018-8801 | Med | 0.42 | 6.5 | 0.01 | Apr 25, 2018 | GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are vulnerable to SSRF in the Services and webhooks component. | ||
| CVE-2018-10174 | Med | 0.42 | 6.5 | 0.01 | Apr 20, 2018 | Digital Guardian Management Console 7.1.2.0015 has an SSRF issue that allows remote attackers to read arbitrary files via file:// URLs, send TCP traffic to intranet hosts, or obtain an NTLM hash. This can occur even if the logged-in user has a read-only role. | ||
| CVE-2017-15886 | Med | 0.42 | 6.5 | 0.02 | Dec 28, 2017 | Server-side request forgery (SSRF) vulnerability in Link Preview in Synology Chat before 2.0.0-1124 allows remote authenticated users to download arbitrary local files via a crafted URI. | ||
| CVE-2017-12071 | Med | 0.42 | 6.5 | 0.01 | Sep 8, 2017 | Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter. | ||
| CVE-2017-11149 | Med | 0.42 | 6.5 | 0.02 | Aug 14, 2017 | Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 allows remote authenticated users to download arbitrary local files via crafted URI. | ||
| CVE-2017-11148 | Med | 0.42 | 6.5 | 0.01 | Aug 11, 2017 | Server-side request forgery (SSRF) vulnerability in link preview in Synology Chat before 1.1.0-0806 allows remote authenticated users to access intranet resources via unspecified vectors. | ||
| CVE-2017-10973 | Med | 0.42 | 6.5 | 0.01 | Jul 6, 2017 | In FineCMS before 2017-07-06, application/lib/ajax/get_image_data.php has SSRF, related to requests for non-image files with a modified HTTP Host header. | ||
| CVE-2017-6036 | Med | 0.42 | 6.5 | 0.01 | Jun 30, 2017 | A Server-Side Request Forgery issue was discovered in Belden Hirschmann GECKO Lite Managed switch, Version 2.0.00 and prior versions. The web server receives a request, but does not sufficiently verify that the request is being sent to the expected destination. | ||
| CVE-2017-9307 | Med | 0.42 | 6.5 | 0.01 | May 31, 2017 | SSRF vulnerability in remotedownload.php in Allen Disk 1.6 allows remote authenticated users to conduct port scans and access intranet servers via a crafted file parameter. |
- risk 0.42cvss 6.5epss 0.01
Jenkins Semantic Versioning Plugin 1.13 and earlier does not restrict execution of an controller/agent message to agents, and implements no limitations about the file path that can be parsed, allowing attackers able to control agent processes to have Jenkins parse a crafted file…
- risk 0.42cvss 7.5epss 0.01
An issue was discovered in the Kitodo.Presentation (aka dif) extension before 2.3.2, 3.x before 3.2.3, and 3.3.x before 3.3.4 for TYPO3. A missing access check in an eID script allows an unauthenticated user to submit arbitrary URLs to this component. This results in SSRF,…
- risk 0.42cvss 7.5epss 0.02
In Apache Traffic Control Traffic Ops prior to 6.1.0 or 5.1.6, an unprivileged user who can reach Traffic Ops over HTTPS can send a specially-crafted POST request to /user/login/oauth to scan a port of a server that Traffic Ops can reach.
- risk 0.42cvss 7.5epss 0.03
In Django 2.2 before 2.2.24, 3.x before 3.1.12, and 3.2 before 3.2.4, URLValidator, validate_ipv4_address, and validate_ipv46_address do not prohibit leading zero characters in octal literals. This may allow a bypass of access control that is based on IP addresses.…
- risk 0.42cvss 6.4epss 0.00
The yoast_seo (aka Yoast SEO) extension before 7.2.1 for TYPO3 allows SSRF via a backend user account.
- risk 0.42cvss 7.5epss 0.07
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also…
- risk 0.42cvss 6.5epss 0.01
All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of…
- risk 0.42cvss 7.5epss 0.02
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
- risk 0.42cvss 7.5epss 0.01
Moodle 3.5.x before 3.5.4 allows SSRF.
- risk 0.42cvss 6.5epss 0.01
An improper authorization vulnerability exists in Jenkins Mesos Plugin 0.17.1 and earlier in MesosCloud.java that allows attackers with Overall/Read access to initiate a test connection to an attacker-specified Mesos server with attacker-specified credentials IDs obtained…
- risk 0.42cvss 6.5epss 0.01
Server side request forgery exists in the runtime application in K2 smartforms 4.6.11 via a modified hostname in an https://*/Identity/STS/Forms/Scripts URL.
- risk 0.42cvss 6.5epss 0.01
GitLab Community and Enterprise Editions version 8.3 up to 10.x before 10.3 are vulnerable to SSRF in the Services and webhooks component.
- risk 0.42cvss 6.5epss 0.01
Digital Guardian Management Console 7.1.2.0015 has an SSRF issue that allows remote attackers to read arbitrary files via file:// URLs, send TCP traffic to intranet hosts, or obtain an NTLM hash. This can occur even if the logged-in user has a read-only role.
- risk 0.42cvss 6.5epss 0.02
Server-side request forgery (SSRF) vulnerability in Link Preview in Synology Chat before 2.0.0-1124 allows remote authenticated users to download arbitrary local files via a crafted URI.
- risk 0.42cvss 6.5epss 0.01
Server-side request forgery (SSRF) vulnerability in file_upload.php in Synology Photo Station before 6.7.4-3433 and 6.3-2968 allows remote authenticated users to download arbitrary local files via the url parameter.
- risk 0.42cvss 6.5epss 0.02
Server-side request forgery (SSRF) vulnerability in Downloader in Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2984 allows remote authenticated users to download arbitrary local files via crafted URI.
- risk 0.42cvss 6.5epss 0.01
Server-side request forgery (SSRF) vulnerability in link preview in Synology Chat before 1.1.0-0806 allows remote authenticated users to access intranet resources via unspecified vectors.
- risk 0.42cvss 6.5epss 0.01
In FineCMS before 2017-07-06, application/lib/ajax/get_image_data.php has SSRF, related to requests for non-image files with a modified HTTP Host header.
- risk 0.42cvss 6.5epss 0.01
A Server-Side Request Forgery issue was discovered in Belden Hirschmann GECKO Lite Managed switch, Version 2.0.00 and prior versions. The web server receives a request, but does not sufficiently verify that the request is being sent to the expected destination.
- risk 0.42cvss 6.5epss 0.01
SSRF vulnerability in remotedownload.php in Allen Disk 1.6 allows remote authenticated users to conduct port scans and access intranet servers via a crafted file parameter.