Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvelistGitHub_MCVELIST:CVE-2024-22203
HistoryJan 23, 2024 - 5:20 p.m.

CVE-2024-22203 Whoogle Search Server Side Request Forgery vulnerability

2024-01-2317:20:15
CWE-918
GitHub_M
www.cve.org
3
whoogle search
server side request forgery
vulnerability
self-hosted
metasearch engine
request forgery
internal network
external resources
fixed
cve-2024-22203

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.5

Confidence

High

EPSS

0.001

Percentile

45.5%

JSON

Whoogle Search is a self-hosted metasearch engine. In versions prior to 0.8.4, the element method in app/routes.py does not validate the user-controlled src_type and element_url variables and passes them to the send method which sends a GET request on lines 339-343 in request.py, which leads to a server-side request forgery. This issue allows for crafting GET requests to internal and external resources on behalf of the server. For example, this issue would allow for accessing resources on the internal network that the server has access to, even though these resources may not be accessible on the internet. This issue is fixed in version 0.8.4.

CNA Affected

[
  {
    "vendor": "benbusby",
    "product": "whoogle-search",
    "versions": [
      {
        "version": "< 0.8.4",
        "status": "affected"
      }
    ]
  }
]

Related

prion 1
veracode 1
cve 1
osv 3
nvd 1
github 1
prion
prion
Server side request forgery (ssrf)
2024-01-23 18:15:00
veracode
veracode
Server Side Request Forgery (SSRF)
2024-01-25 04:43:47
cve
cve
CVE-2024-22203
2024-01-23 18:15:18
osv
osv
Whoogle Search Path Traversal vulnerability
2024-03-14 20:37:57
PYSEC-2024-20
2024-01-23 18:15:00
CVE-2024-22203
2024-01-23 18:15:18
nvd
nvd
CVE-2024-22203
2024-01-23 18:15:18
github
github
Whoogle Search Path Traversal vulnerability
2024-03-14 20:37:57

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.5

Confidence

High

EPSS

0.001

Percentile

45.5%

JSON
Related for CVELIST:CVE-2024-22203
prion1veracode1cve1osv3nvd1github1