CVE-2021-29357

Published: Apr 12, 2021Modified: Nov 21, 2024

8.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 4.0

Source: NVD

Description

The ECT Provider component in OutSystems Platform Server 10 before 10.0.1104.0 and 11 before 11.9.0 (and LifeTime management console before 11.7.0) allows SSRF for arbitrary outbound HTTP requests.

Affected (3)

Products: Outsystems: Lifetime Management Console, Outsystems, Platform Server

Outsystems

3 products

Lifetime Management Console

Outsystems

Platform Server

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Outsystems Lifetime Management Console	From 11 to 11.7.0
Outsystems Outsystems	From 10 to 10.0.1104.0
Outsystems Platform Server	From 11 to 11.9.0

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://labs.integrity.pt/advisories/cve-2021-29357/

Source: cve@mitre.org

Third Party Advisory

https://success.outsystems.com/Support/Security/Vulnerabilities/Vulnerability_RTAF-2226

Source: cve@mitre.org

Vendor Advisory

https://labs.integrity.pt/advisories/cve-2021-29357/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://success.outsystems.com/Support/Security/Vulnerabilities/Vulnerability_RTAF-2226

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.