CVE-2022-24862

Published: Apr 20, 2022Modified: Nov 21, 2024

7.7

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Exploitability: 3.1 / Impact: 4.0

Source: NVD

Description

Databasir is a team-oriented relational database model document management platform. Databasir 1.01 has Server-Side Request Forgery vulnerability. During the download verification process of a JDBC driver the corresponding JDBC driver download address will be downloaded first, but this address will return a response page with complete error information when accessing a non-existent URL. Attackers can take advantage of this feature for SSRF.

Affected (1)

Products: Databasir Project: Databasir

Databasir Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Databasir Project Databasir	Version 1.0.1

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://github.com/vran-dev/databasir/releases/tag/v1.0.2

Source: security-advisories@github.com

Release NotesThird Party Advisory

https://github.com/vran-dev/databasir/security/advisories/GHSA-r8m9-r74j-vc6m

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/vran-dev/databasir/releases/tag/v1.0.2

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://github.com/vran-dev/databasir/security/advisories/GHSA-r8m9-r74j-vc6m

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.