Lucene search
GoogleOSV:GHSA-MCXR-FX5F-96QQHistoryNov 23, 2021 - 6:18 p.m.
Server-Side Request Forgery in Concrete CMS
2021-11-2318:18:35
Google
osv.dev
8
concrete cms
ssrf mitigation bypass
dns rebind attack
cloud iaas
iam keys
download restriction
EPSS
0.001
Percentile
36.0%
Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS.Discoverer.
Related
nvd
nvd
CVE-2021-22969
2021-11-19 19:15:08
prion
prion
Design/Logic Flaw
2021-11-19 19:15:00
github
github
Server-Side Request Forgery in Concrete CMS
2021-11-23 18:18:35
veracode
veracode
Server-Side Request Forgery (SSRF)
2021-11-24 16:29:47
cvelist
cvelist
CVE-2021-22969
2021-11-19 18:08:30
hackerone
hackerone
Concrete CMS: SSRF mitigation bypass using DNS Rebind attack
2021-10-13 13:27:58
cnvd
cnvd
PortlandLabs Concrete Cms Code Issue Vulnerability (CNVD-2021-94042)
2021-11-23 00:00:00
cve
cve
CVE-2021-22969
2021-11-19 19:15:08
openvas
openvas
Concrete CMS < 8.5.7 Multiple Vulnerabilities
2021-11-22 00:00:00