CVE-2023-7078

EPSS 0.05%
Published 29.12.2023 12:15:47
Last modified 21.11.2024 08:45:12
Source cna@cloudflare.com
CVE-Watchlists
Login
Open
Login

Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in wrangler until 3.19.0), an attacker on the local network could access other local servers.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Cloudflare ≫ Miniflare SwPlatformnode.js Version >= 3.20230821.0 < 3.20231030.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.136

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cna@cloudflare.com	7.5	1.2	5.8	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/cloudflare/workers-sdk/pull/4532

Patch

https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7

Patch

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-7078

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-7078

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-7078

EUVD