6.5
CVE-2020-16171
- EPSS 11.24%
- Published 21.09.2020 14:15:13
- Last modified 21.11.2024 05:06:54
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
An issue was discovered in Acronis Cyber Backup before 12.5 Build 16342. Some API endpoints on port 9877 under /api/ams/ accept an additional custom Shard header. The value of this header is afterwards used in a separate web request issued by the application itself. This can be abused to conduct SSRF attacks against otherwise unreachable Acronis services that are bound to localhost such as the NotificationService on 127.0.0.1:30572.
Data is provided by the National Vulnerability Database (NVD)
Acronis ≫ Cyber Backup Version <= 12.5
Acronis ≫ Cyber Backup Version12.5 Update-
Acronis ≫ Cyber Backup Version12.5 Update10130
Acronis ≫ Cyber Backup Version12.5 Update10330
Acronis ≫ Cyber Backup Version12.5 Update11010
Acronis ≫ Cyber Backup Version12.5 Update13160
Acronis ≫ Cyber Backup Version12.5 Update13400
Acronis ≫ Cyber Backup Version12.5 Update14280
Acronis ≫ Cyber Backup Version12.5 Update14330
Acronis ≫ Cyber Backup Version12.5 Update16180
Acronis ≫ Cyber Backup Version12.5 Update16318
Acronis ≫ Cyber Backup Version12.5 Update16327
Acronis ≫ Cyber Backup Version12.5 Update7641
Acronis ≫ Cyber Backup Version12.5 Update7970
Acronis ≫ Cyber Backup Version12.5 Update8850
Acronis ≫ Cyber Backup Version12.5 Update9010
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 11.24% | 0.932 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 3.9 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
|
| nvd@nist.gov | 6.4 | 10 | 4.9 |
AV:N/AC:L/Au:N/C:P/I:P/A:N
|
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.