Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

CVEs (2,678)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-36349 1Dell 1Emc Data Protection Central Nov 21, 2024 Jan 24, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Dell EMC Data Protection Central versions 19.5 and prior contain a Server Side Request Forgery vulnerability in the DPC DNS client processing. A remote malicious user could potentially exploit this vulnerability, allowin...Show more Dell EMC Data Protection Central versions 19.5 and prior contain a Server Side Request Forgery vulnerability in the DPC DNS client processing. A remote malicious user could potentially exploit this vulnerability, allowing port scanning of external hosts.Show less
CVE-2021-23664 1Isomorphic Git 1Cors Proxy Nov 21, 2024 Jan 21, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 The package @isomorphic-git/cors-proxy before 2.7.1 are vulnerable to Server-side Request Forgery (SSRF) due to missing sanitization and validation of the redirection action in middleware.js.
CVE-2021-41809 1M Files 1M Files Server Feb 23, 2026 Jan 18, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, in a preview function allowed making queries from the server with certain document types referencing external entities.
CVE-2021-39927 1Gitlab 1Gitlab Nov 21, 2024 Jan 18, 2022 N/A· v4 4.3 MEDIUM· v3 3.5 LOW· v2 Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.4, between 14.5.0 and 14.5.2, and between 14.6.0 and 14.6.1 would fail to protect against attacks sending requests to localhost on por...Show more Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.4, between 14.5.0 and 14.5.2, and between 14.6.0 and 14.6.1 would fail to protect against attacks sending requests to localhost on port 80 or 443 if GitLab was configured to run on a port other than 80 or 443Show less
CVE-2021-45394 1Html2pdf Project 1Html2pdf Nov 21, 2024 Jan 18, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Spipu HTML2PDF before 5.2.4. Attackers can trigger deserialization of arbitrary data via the injection of a malicious <link> tag in the converted HTML document.
CVE-2022-22702 1Partkeepr 1Partkeepr Nov 21, 2024 Jan 10, 2022 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 PartKeepr versions up to v1.4.0, in the functionality to upload attachments using a URL when creating a part does not validate that requests can be made to local ports, allowing an authenticated user to carry out SSRF at...Show more PartKeepr versions up to v1.4.0, in the functionality to upload attachments using a URL when creating a part does not validate that requests can be made to local ports, allowing an authenticated user to carry out SSRF attacks and port enumeration.Show less
CVE-2022-0132 1Framasoft 1Peertube Nov 21, 2024 Jan 10, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 peertube is vulnerable to Server-Side Request Forgery (SSRF)
CVE-2021-27738 1Apache 1Kylin Nov 21, 2024 Jan 6, 2022 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary...Show more All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.Show less
CVE-2022-0086 1Transloadit 1Uppy Nov 21, 2024 Jan 4, 2022 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 uppy is vulnerable to Server-Side Request Forgery (SSRF)
CVE-2021-44659 1Thoughtworks 1Gocd Nov 21, 2024 Dec 22, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action in order to achieve a Server Side Request Forgery (SSRF). NOTE: the vendor's position is that the o...Show more Adding a new pipeline in GoCD server version 21.3.0 has a functionality that could be abused to do an un-intended action in order to achieve a Server Side Request Forgery (SSRF). NOTE: the vendor's position is that the observed behavior is not a vulnerability, because the product's design allows an admin to configure outbound requestsShow less
CVE-2021-22056 1Vmware 3Identity Manager Vrealize AutomationWorkspace One Access Nov 21, 2024 Dec 20, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 and Identity Manager 3.3.5, 3.3.4, and 3.3.3 contain an SSRF vulnerability. A malicious actor with network access may be able to make HTTP requests to arbitrary ori...Show more VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 and Identity Manager 3.3.5, 3.3.4, and 3.3.3 contain an SSRF vulnerability. A malicious actor with network access may be able to make HTTP requests to arbitrary origins and read the full response.Show less
CVE-2021-22054 1Vmware 1Workspace One Uem Console Mar 10, 2026 Dec 17, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an SSRF vulnerability. This issue may allow a malicious actor with...Show more VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain an SSRF vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.Show less
CVE-2021-3959 1Bitdefender 1Gravityzone Nov 21, 2024 Dec 16, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects: Bitdefender Bitdef...Show more A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects: Bitdefender Bitdefender GravityZone versions prior to 3.3.8.272Show less
CVE-2021-34425 1Zoom 1Meetings Nov 21, 2024 Dec 14, 2021 N/A· v4 6.1 MEDIUM· v3 4.0 MEDIUM· v2 The Zoom Client for Meetings before version 5.7.3 (for Android, iOS, Linux, macOS, and Windows) contain a server side request forgery vulnerability in the chat\'s "link preview" functionality. In versions prior to 5.7.3,...Show more The Zoom Client for Meetings before version 5.7.3 (for Android, iOS, Linux, macOS, and Windows) contain a server side request forgery vulnerability in the chat\'s "link preview" functionality. In versions prior to 5.7.3, if a user were to enable the chat\'s "link preview" feature, a malicious actor could trick the user into potentially sending arbitrary HTTP GET requests to URLs that the actor cannot reach directly.Show less
CVE-2021-39057 1Ibm 1Spectrum Protect Plus Nov 21, 2024 Dec 13, 2021 N/A· v4 8.1 HIGH· v3 5.5 MEDIUM· v2 IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to netw...Show more IBM Spectrum Protect Plus 10.1.0.0 through 10.1.8.x is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 214616.Show less
CVE-2021-39935 1Gitlab 1Gitlab Feb 4, 2026 Dec 13, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external us...Show more An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint APIShow less
CVE-2021-37940 1Elastic 1Enterprise Search Nov 21, 2024 Dec 7, 2021 N/A· v4 6.8 MEDIUM· v3 4.0 MEDIUM· v2 An information disclosure via GET request server-side request forgery vulnerability was discovered with the Workplace Search Github Enterprise Server integration. Using this vulnerability, a malicious Workplace Search ad...Show more An information disclosure via GET request server-side request forgery vulnerability was discovered with the Workplace Search Github Enterprise Server integration. Using this vulnerability, a malicious Workplace Search admin could use the GHES integration to view hosts that might not be publicly accessible.Show less
CVE-2021-4075 1Snipeitapp 1Snipe It Nov 21, 2024 Dec 6, 2021 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 snipe-it is vulnerable to Server-Side Request Forgery (SSRF)
CVE-2021-40091 1Squaredup 1Squaredup Nov 21, 2024 Dec 6, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An SSRF issue was discovered in SquaredUp for SCOM 5.2.1.6654.
CVE-2021-29863 1Ibm 1Qradar Security Information And Event Manager Nov 21, 2024 Dec 1, 2021 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 IBM QRadar SIEM 7.3 and 7.4 is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facil...Show more IBM QRadar SIEM 7.3 and 7.4 is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. This vulnerability is due to an incomplete fix for CVE-2020-4786. IBM X-Force ID: 206087.Show less

Previous 1...107108109...134 Next