Total
774 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-8451 | 1 Atlassian | 1 Jira Server | 2022-03-28 | 6.4 MEDIUM | 6.5 MEDIUM |
The /plugins/servlet/gadgets/makeRequest resource in Jira before version 8.4.0 allows remote attackers to access the content of internal network resources via a Server Side Request Forgery (SSRF) vulnerability due to a logic bug in the JiraWhitelist class. | |||||
CVE-2022-27245 | 1 Misp | 1 Misp | 2022-03-25 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in MISP before 2.4.156. app/Model/Server.php does not restrict generateServerSettings to the CLI. This could lead to SSRF. | |||||
CVE-2018-13404 | 1 Atlassian | 2 Jira, Jira Server | 2022-03-25 | 4.0 MEDIUM | 4.1 MEDIUM |
The VerifyPopServerConnection resource in Atlassian Jira before version 7.6.10, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and from version 7.13.0 before version 7.13.1 allows remote attackers who have administrator rights to determine the existence of internal hosts & open ports and in some cases obtain service information from internal network resources via a Server Side Request Forgery (SSRF) vulnerability. | |||||
CVE-2021-46107 | 1 Ligeo-archives | 1 Ligeo Basics | 2022-03-24 | 5.0 MEDIUM | 7.5 HIGH |
Ligeo Archives Ligeo Basics as of 02_01-2022 is vulnerable to Server Side Request Forgery (SSRF) which allows an attacker to read any documents via the download features. | |||||
CVE-2021-45851 | 1 Frangoteam | 1 Fuxa | 2022-03-23 | 5.0 MEDIUM | 7.5 HIGH |
A Server-Side Request Forgery (SSRF) attack in FUXA 1.1.3 can be carried out leading to the obtaining of sensitive information from the server's internal environment and services, often potentially leading to the attacker executing commands on the server. | |||||
CVE-2022-0870 | 1 Gogs | 1 Gogs | 2022-03-22 | 5.0 MEDIUM | 5.3 MEDIUM |
Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.5. | |||||
CVE-2021-39051 | 1 Ibm | 1 Spectrum Copy Data Management | 2022-03-22 | 6.4 MEDIUM | 6.5 MEDIUM |
IBM Spectrum Copy Data Management 2.2.0.0 through 2.2.14.3 is vulnerable to server-side request forgery, caused by improper input of application server registration function. A remote attacker could exploit this vulnerability using the host address and port fields of the application server registration form in the portal UI to enumerate and attack services that are running on those hosts. IBM X-Force ID: 214441. | |||||
CVE-2022-22993 | 1 Westerndigital | 11 My Cloud, My Cloud Dl2100, My Cloud Dl4100 and 8 more | 2022-03-18 | 8.3 HIGH | 8.8 HIGH |
A limited SSRF vulnerability was discovered on Western Digital My Cloud devices that could allow an attacker to impersonate a server and reach any page on the server by bypassing access controls. The vulnerability was addressed by creating a whitelist for valid parameters. | |||||
CVE-2021-37419 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2022-03-18 | 5.0 MEDIUM | 7.5 HIGH |
Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF. | |||||
CVE-2021-43954 | 1 Atlassian | 2 Crucible, Fisheye | 2022-03-18 | 4.0 MEDIUM | 4.3 MEDIUM |
The DefaultRepositoryAdminService class in Fisheye and Crucible before version 4.8.9 allowed remote attackers, who have 'can add repository permission', to enumerate the existence of internal network and filesystem resources via a Server-Side Request Forgery (SSRF) vulnerability. | |||||
CVE-2022-0339 | 1 Calibre-web Project | 1 Calibre-web | 2022-03-17 | 7.5 HIGH | 9.8 CRITICAL |
Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16. | |||||
CVE-2022-24739 | 1 Alltube Project | 1 Alltube | 2022-03-14 | 4.0 MEDIUM | 6.1 MEDIUM |
alltube is an html front end for youtube-dl. On releases prior to 3.0.3, an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack (depending on how AllTube is configured). The impact is mitigated by the fact the SSRF attack is only possible when the `stream` option is enabled in the configuration. (This option is disabled by default.) 3.0.3 contains a fix for this vulnerability. | |||||
CVE-2022-0767 | 1 Calibre-web Project | 1 Calibre-web | 2022-03-14 | 7.5 HIGH | 9.9 CRITICAL |
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17. | |||||
CVE-2022-0766 | 1 Calibre-web Project | 1 Calibre-web | 2022-03-11 | 7.5 HIGH | 9.8 CRITICAL |
Server-Side Request Forgery (SSRF) in GitHub repository janeczku/calibre-web prior to 0.6.17. | |||||
CVE-2021-20325 | 1 Redhat | 1 Enterprise Linux | 2022-03-08 | 10.0 HIGH | 9.8 CRITICAL |
Missing fixes for CVE-2021-40438 and CVE-2021-26691 in the versions of httpd, as shipped in Red Hat Enterprise Linux 8.5.0, causes a security regression compared to the versions shipped in Red Hat Enterprise Linux 8.4. A user who installs or updates to Red Hat Enterprise Linux 8.5.0 would be vulnerable to the mentioned CVEs, even if they were properly fixed in Red Hat Enterprise Linux 8.4. CVE-2021-20325 was assigned to that Red Hat specific security regression and it does not affect the upstream versions of httpd. | |||||
CVE-2022-25260 | 1 Jetbrains | 1 Hub | 2022-03-08 | 6.4 MEDIUM | 9.1 CRITICAL |
JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF). | |||||
CVE-2022-0768 | 1 Alltubedownload | 1 Alltube | 2022-03-08 | 6.4 MEDIUM | 9.1 CRITICAL |
Server-Side Request Forgery (SSRF) in GitHub repository rudloff/alltube prior to 3.0.2. | |||||
CVE-2022-24333 | 1 Jetbrains | 1 Teamcity | 2022-03-04 | 4.0 MEDIUM | 6.5 MEDIUM |
In JetBrains TeamCity before 2021.2, blind SSRF via an XML-RPC call was possible. | |||||
CVE-2022-24980 | 1 Kitodo | 1 Kitodo.presentation | 2022-03-04 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in the Kitodo.Presentation (aka dif) extension before 2.3.2, 3.x before 3.2.3, and 3.3.x before 3.3.4 for TYPO3. A missing access check in an eID script allows an unauthenticated user to submit arbitrary URLs to this component. This results in SSRF, allowing attackers to view the content of any file or webpage the webserver has access to. | |||||
CVE-2022-21215 | 1 Airspan | 9 A5x, A5x Firmware, C5c and 6 more | 2022-02-25 | 10.0 HIGH | 9.8 CRITICAL |
This vulnerability could allow an attacker to force the server to create and execute a web request granting access to backend APIs that are only accessible to the Mimosa MMP server, or request pages that could perform some actions themselves. The attacker could force the server into accessing routes on those cloud-hosting platforms, accessing secret keys, changing configurations, etc. Affecting MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1. |