CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
26.4%
What kind of vulnerability is it? Who is impacted?
SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When malicious app is uploaded to Static analyzer, it is possible to make internal requests.
Credits: Oleg Surnin (Positive Technologies).
Has the problem been patched? What versions should users upgrade to?
v3.9.8 and above
Is there a way for users to fix or remediate the vulnerability without upgrading?
Code level patch
Are there any links users can visit to find out more?
https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373
github.com/MobSF/Mobile-Security-Framework-MobSF
github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716
github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373
github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx
nvd.nist.gov/vuln/detail/CVE-2024-31215
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
26.4%