Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

CVEs (2,643)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-4101 1Hcltech 1Hcl Digital Experience Nov 21, 2024 Jun 11, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 "HCL Digital Experience is susceptible to Server Side Request Forgery."
CVE-2020-6275 1Sap 1Netweaver Application Server Abap Nov 21, 2024 Jun 10, 2020 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing mali...Show more SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server. Furthermore, if NTLM is setup the attacker can compromise confidentiality, integrity and availability of the SAP database.Show less
CVE-2020-4529 1Ibm 1Maximo Asset Management Nov 21, 2024 Jun 8, 2020 N/A· v4 7.4 HIGH· v3 6.5 MEDIUM· v2 IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enum...Show more IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 182713.Show less
CVE-2020-8555 2Fedoraproject Kubernetes 2Fedora Kubernetes Nov 21, 2024 Jun 5, 2020 N/A· v4 6.3 MEDIUM· v3 3.5 LOW· v2 The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users...Show more The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).Show less
CVE-2020-13379 4Fedoraproject GrafanaNetapp+1 more 5Backports Sle E Series Performance AnalyzerFedora+2 more Nov 21, 2024 Jun 3, 2020 N/A· v4 8.2 HIGH· v3 6.4 MEDIUM· v2 The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result...Show more The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.Show less
CVE-2014-8943 1Piwigo 1Lexiglot Nov 21, 2024 Jun 1, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Lexiglot through 2014-11-20 allows SSRF via the admin.php?page=projects svn_url parameter.
CVE-2020-13226 1Wso2 1Api Manager Nov 21, 2024 May 20, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, opening up the possibility of SSRF to this node's entire intranet.
CVE-2020-4365 1Ibm 1Websphere Application Server Nov 21, 2024 May 14, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 IBM WebSphere Application Server 8.5 is vulnerable to server-side request forgery. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-...Show more IBM WebSphere Application Server 8.5 is vulnerable to server-side request forgery. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 178964.Show less
CVE-2020-8830 1Commscope 1Ruckus Zoneflex R500 Firmware Nov 21, 2024 May 5, 2020 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 CSRF in login.asp on Ruckus devices allows an attacker to access the panel, and use SSRF to perform scraping or other analysis via the SUBCA-1 field on the Wireless Admin screen.
CVE-2020-5562 1Cybozu 1Garoon Nov 21, 2024 Apr 28, 2020 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 Server-side request forgery (SSRF) vulnerability in Cybozu Garoon 4.6.0 to 4.6.3 allows a remote attacker with an administrative privilege to issue arbitrary HTTP requests to other web servers via V-CUBE Meeting function...Show more Server-side request forgery (SSRF) vulnerability in Cybozu Garoon 4.6.0 to 4.6.3 allows a remote attacker with an administrative privilege to issue arbitrary HTTP requests to other web servers via V-CUBE Meeting function.Show less
CVE-2020-11885 1Wso2 1Enterprise Integrator Nov 21, 2024 Apr 17, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 WSO2 Enterprise Integrator through 6.6.0 has an XXE vulnerability where a user (with admin console access) can use the XML validator to make unintended network invocations such as SSRF via an uploaded file.
CVE-2020-4294 1Ibm 1Qradar Security Information And Event Manager Nov 21, 2024 Apr 15, 2020 N/A· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 IBM QRadar 7.3.0 to 7.3.3 Patch 2 is vulnerable to Server Side Request Forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or...Show more IBM QRadar 7.3.0 to 7.3.3 Patch 2 is vulnerable to Server Side Request Forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-ForceID: 176404.Show less
CVE-2020-10980 1Gitlab 1Gitlab Nov 21, 2024 Apr 8, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 GitLab EE/CE 8.0.rc1 to 12.9 is vulnerable to a blind SSRF in the FogBugz integration.
CVE-2020-11453 1Microstrategy 1Microstrategy Web Nov 21, 2024 Apr 2, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not poss...Show more Microstrategy Web 10.4 is vulnerable to Server-Side Request Forgery in the Test Web Service functionality exposed through the path /MicroStrategyWS/. The functionality requires no authentication and, while it is not possible to pass parameters in the SSRF request, it is still possible to exploit it to conduct port scanning. An attacker could exploit this vulnerability to enumerate the resources allocated in the network (IP addresses and services exposed). NOTE: MicroStrategy is unable to reproduce the issue reported in any version of its productShow less
CVE-2020-11452 1Microstrategy 1Microstrategy Web Nov 21, 2024 Apr 2, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests...Show more Microstrategy Web 10.4 includes functionality to allow users to import files or data from external resources such as URLs or databases. By providing an external URL under attacker control, it's possible to send requests to external resources (aka SSRF) or leak files from the local system using the file:// stream wrapper.Show less
CVE-2020-10956 1Gitlab 1Gitlab Nov 21, 2024 Mar 27, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 GitLab 8.10 and later through 12.9 is vulnerable to an SSRF in a project import note feature.
CVE-2020-3769 1Adobe 1Experience Manager Nov 21, 2024 Mar 25, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Adobe Experience Manager versions 6.5 and earlier have a server-side request forgery (ssrf) vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVE-2020-10791 1It Novum 1Openitcockpit Nov 21, 2024 Mar 25, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 app/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.php in openITCOCKPIT before 3.7.3 allows remote authenticated users to trigger outbound TCP requests (aka SSRF) via the Test Connection feature (aka test...Show more app/Plugin/GrafanaModule/Controller/GrafanaConfigurationController.php in openITCOCKPIT before 3.7.3 allows remote authenticated users to trigger outbound TCP requests (aka SSRF) via the Test Connection feature (aka testGrafanaConnection) of the Grafana Module.Show less
CVE-2019-11574 1Simplemachines 1Simple Machine Forum Nov 21, 2024 Mar 20, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in Simple Machines Forum (SMF) before release 2.0.17. There is SSRF related to Subs-Package.php and Subs.php because user-supplied data is used directly in curl calls.
CVE-2020-8138 1Nextcloud 1Nextcloud Server Nov 21, 2024 Mar 20, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.

Previous 1...119120121...133 Next