Lucene search

[email protected]NVD:CVE-2021-31216

HistoryJul 19, 2021 - 1:15 p.m.

CVE-2021-31216

2021-07-1913:15:08

CWE-918

[email protected]

web.nvd.nist.gov

siren investigate

ssrf

vulnerability

image proxy

external urls

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

25.8%

JSON

Siren Investigate before 11.1.1 contains a server side request forgery (SSRF) defect in the built-in image proxy route (which is enabled by default). An attacker with access to the Investigate installation can specify an arbitrary URL in the parameters of the image proxy route and fetch external URLs as the Investigate process on the host.

Affected configurations

Nvd

Node

sireninvestigateRange<11.1.1

VendorProductVersionCPE
sireninvestigate*cpe:2.3:a:siren:investigate:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
siren	investigate	*	cpe:2.3:a:siren:investigate::::::::

References

community.siren.io/c/announcements

docs.siren.io/siren-platform-user-guide/11.1/release-notes.html

CVSS2

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

25.8%

JSON

Related for NVD:CVE-2021-31216

cve1 cvelist1 prion1 cnvd1