CVE-2024-41812

Exploit

EPSS 0.33%
Veröffentlicht 26.07.2024 17:15:12
Zuletzt bearbeitet 21.11.2024 09:33:07
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

txtdot is an HTTP proxy that parses only text, links, and pictures from pages, removing ads and heavy scripts. Prior to version 1.7.0, a Server-Side Request Forgery (SSRF) vulnerability in the `/get` route of txtdot allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network. Version 1.7.0 prevents displaying the response of forged requests, but the requests can still be sent. For complete mitigation, a firewall between txtdot and other internal network resources should be set.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Txtdot ≫ Txtdot Version < 1.7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.553

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/TxtDot/txtdot/blob/a7fdaf80fdf45abefe83b2eb5135ba112142dc74/src/handlers/distributor.ts#L43-L47

Patch

https://github.com/TxtDot/txtdot/commit/7c72d985f7a26ec1fd3cf628444717ca54986d2d

Patch

https://github.com/TxtDot/txtdot/security/advisories/GHSA-4gj5-xj97-j8fp

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-41812

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-41812

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-41812

EUVD