CWE-918
Server-Side Request Forgery (SSRF)
Description
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-664
CVEs mapped to this weakness (1,583)
page 77 of 80| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-33510 | — | 0.00 | — | 0.01 | May 21, 2021 | Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file. | ||
| CVE-2021-33511 | — | 0.00 | — | 0.01 | May 21, 2021 | Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel. | ||
| CVE-2021-31779 | — | 0.00 | — | 0.00 | Apr 28, 2021 | The yoast_seo (aka Yoast SEO) extension before 7.2.1 for TYPO3 allows SSRF via a backend user account. | ||
| CVE-2021-29431 | 0.00 | — | 0.01 | Apr 15, 2021 | Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use… | |||
| CVE-2021-22696 | 0.00 | — | 0.07 | Apr 2, 2021 | CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also… | |||
| CVE-2021-26715 | — | 0.00 | — | 0.01 | Mar 25, 2021 | The OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Server Side Request Forgery (SSRF) vulnerability. The vulnerability arises due to unsafe usage of the logo_uri parameter in the Dynamic Client Registration request. An unauthenticated attacker… | ||
| CVE-2021-21342 | 0.00 | — | 0.50 | Mar 22, 2021 | XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new… | |||
| CVE-2020-11988 | — | 0.00 | — | 0.07 | Feb 24, 2021 | Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET… | ||
| CVE-2020-11987 | — | 0.00 | — | 0.14 | Feb 24, 2021 | Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. | ||
| CVE-2020-8902 | — | 0.00 | — | 0.00 | Feb 23, 2021 | Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot.… | ||
| CVE-2020-28463 | — | 0.00 | — | 0.01 | Feb 18, 2021 | All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of… | ||
| CVE-2021-21288 | 0.00 | — | 0.01 | Feb 8, 2021 | CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are… | |||
| CVE-2020-28735 | — | 0.00 | — | 0.01 | Dec 30, 2020 | Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). | ||
| CVE-2020-17513 | 0.00 | — | 0.04 | Dec 14, 2020 | In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack. | |||
| CVE-2020-28360 | — | 0.00 | — | 0.03 | Nov 23, 2020 | Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack… | ||
| CVE-2019-17566 | — | 0.00 | — | 0.11 | Nov 12, 2020 | Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. | ||
| CVE-2020-28168 | — | 0.00 | — | 0.02 | Nov 6, 2020 | Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address. | ||
| CVE-2020-24710 | — | 0.00 | — | 0.01 | Oct 28, 2020 | Gophish before 0.11.0 allows SSRF attacks. | ||
| CVE-2020-27197 | — | 0.00 | — | 0.02 | Oct 17, 2020 | TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is used for the XML parser. NOTE: the vendor points out that the parse method… | ||
| CVE-2020-7740 | — | 0.00 | — | 0.02 | Oct 6, 2020 | This affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a url that will be passed to an external server allowing an SSRF attack. |
- CVE-2021-33510May 21, 2021risk 0.00cvss —epss 0.01
Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file.
- CVE-2021-33511May 21, 2021risk 0.00cvss —epss 0.01
Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel.
- CVE-2021-31779Apr 28, 2021risk 0.00cvss —epss 0.00
The yoast_seo (aka Yoast SEO) extension before 7.2.1 for TYPO3 allows SSRF via a backend user account.
- CVE-2021-29431Apr 15, 2021risk 0.00cvss —epss 0.01
Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use…
- CVE-2021-22696Apr 2, 2021risk 0.00cvss —epss 0.07
CXF supports (via JwtRequestCodeFilter) passing OAuth 2 parameters via a JWT token as opposed to query parameters (see: The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)). Instead of sending a JWT token as a "request" parameter, the spec also…
- CVE-2021-26715Mar 25, 2021risk 0.00cvss —epss 0.01
The OpenID Connect server implementation for MITREid Connect through 1.3.3 contains a Server Side Request Forgery (SSRF) vulnerability. The vulnerability arises due to unsafe usage of the logo_uri parameter in the Dynamic Client Registration request. An unauthenticated attacker…
- CVE-2021-21342Mar 22, 2021risk 0.00cvss —epss 0.50
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new…
- CVE-2020-11988Feb 24, 2021risk 0.00cvss —epss 0.07
Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET…
- CVE-2020-11987Feb 24, 2021risk 0.00cvss —epss 0.14
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
- CVE-2020-8902Feb 23, 2021risk 0.00cvss —epss 0.00
Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery (SSRF) attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot.…
- CVE-2020-28463Feb 18, 2021risk 0.00cvss —epss 0.01
All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of…
- CVE-2021-21288Feb 8, 2021risk 0.00cvss —epss 0.01
CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are…
- CVE-2020-28735Dec 30, 2020risk 0.00cvss —epss 0.01
Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role).
- CVE-2020-17513Dec 14, 2020risk 0.00cvss —epss 0.04
In Apache Airflow versions prior to 1.10.13, the Charts and Query View of the old (Flask-admin based) UI were vulnerable for SSRF attack.
- CVE-2020-28360Nov 23, 2020risk 0.00cvss —epss 0.03
Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack…
- CVE-2019-17566Nov 12, 2020risk 0.00cvss —epss 0.11
Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the "xlink:href" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
- CVE-2020-28168Nov 6, 2020risk 0.00cvss —epss 0.02
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
- CVE-2020-24710Oct 28, 2020risk 0.00cvss —epss 0.01
Gophish before 0.11.0 allows SSRF attacks.
- CVE-2020-27197Oct 17, 2020risk 0.00cvss —epss 0.02
TAXII libtaxii through 1.1.117, as used in EclecticIQ OpenTAXII through 0.2.0 and other products, allows SSRF via an initial http:// substring to the parse method, even when the no_network setting is used for the XML parser. NOTE: the vendor points out that the parse method…
- CVE-2020-7740Oct 6, 2020risk 0.00cvss —epss 0.02
This affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a url that will be passed to an external server allowing an SSRF attack.