CVE Vulnerabilities

CVE-2018-1000553

Server-Side Request Forgery (SSRF)

Published: Jun 26, 2018 | Modified: Aug 17, 2018
CVSS 3.x
8.8
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.5 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

Trovebox version <= 4.0.0-rc6 contains a Server-Side request forgery vulnerability in webhook component that can result in read or update internal resources. This attack appear to be exploitable via HTTP request. This vulnerability appears to have been fixed in after commit 742b8ed.

Weakness

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Affected Software

Name Vendor Start Version End Version
Trovebox Trovebox * 3.0.0 (including)
Trovebox Trovebox 4.0.0-rc2 (including) 4.0.0-rc2 (including)
Trovebox Trovebox 4.0.0-rc5 (including) 4.0.0-rc5 (including)
Trovebox Trovebox 4.0.0-rc6 (including) 4.0.0-rc6 (including)

References