Veracode Vulnerability DatabaseVERACODE:45268Server-Side Request Forgery
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
38.5%
github.com/apache/servicecomb-service-center is vulnerable to Server-Side Request Forgery. The vulnerability is due to server.go because there is improper validation for user-supplied URLs or IP addresses that the service accesses for schema validation purposes. An attacker can craft a request and interact with internal services or retrieve sensitive information.
References
www.openwall.com/lists/oss-security/2024/01/31/4
github.com/advisories/GHSA-9xc9-xq7w-vpcr
github.com/apache/servicecomb-service-center/commit/ec10299a7da72a0f320e572183c7b9fc1bf2a965
github.com/apache/servicecomb-service-center/pull/1374
github.com/apache/servicecomb-service-center/releases/tag/v2.2.0
issues.apache.org/jira/browse/SCB-2818
lists.apache.org/thread/kxovd455o9h4f2v811hcov2qknbwld5r
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
38.5%