Lucene search

GitHub Advisory DatabaseGHSA-WX24-VQRG-M6M5

HistoryMay 22, 2024 - 9:30 p.m.

VuFind Server-Side Request Forgery (SSRF) vulnerability

2024-05-2221:30:35

CWE-918

GitHub Advisory Database

github.com

server-side request forgery

open library foundation vufind

remote attacker

local configuration files

administrator panel

remote code execution

allow_url_include

php runtime setting

upgrade route

autoconfigure

7.9 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

JSON

A Server-Side Request Forgery (SSRF) vulnerability in the /Upgrade/FixConfig route in Open Library Foundation VuFind 2.0 through 9.1 before 9.1.1 allows a remote attacker to overwrite local configuration files to gain access to the administrator panel and achieve Remote Code Execution. A mitigating factor is that it requires the allow_url_include PHP runtime setting to be on, which is off in default installations. It also requires the /Upgrade route to be exposed, which is exposed by default after installing VuFind, and is recommended to be disabled by setting autoConfigure to false in config.ini.

Affected configurations

Vulners

Node

vufindRange2.0≥

vufindRange<9.1.1

CPENameOperatorVersion
vufind/vufindge2.0
vufind/vufindlt9.1.1

CPE	Name	Operator	Version
	vufind/vufind	ge	2.0
	vufind/vufind	lt	9.1.1

References

github.com/advisories/GHSA-wx24-vqrg-m6m5

github.com/vufind-org/vufind/commit/a19577d3d87d68e5c3f8ade63added44882a193c

nvd.nist.gov/vuln/detail/CVE-2024-25738

vufind.org/wiki/security:cve-2024-25738