CVE-2024-41813

Exploit

EPSS 0.33%
Veröffentlicht 26.07.2024 17:15:12
Zuletzt bearbeitet 21.11.2024 09:33:07
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

txtdot is an HTTP proxy that parses only text, links, and pictures from pages, removing ads and heavy scripts. Starting in version 1.4.0 and prior to version 1.6.1, a Server-Side Request Forgery (SSRF) vulnerability in the `/proxy` route of txtdot allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network. Version 1.6.1 patches the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Txtdot ≫ Txtdot Version >= 1.4.0 < 1.6.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.553

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/TxtDot/txtdot/blob/a7fdaf80fdf45abefe83b2eb5135ba112142dc74/src/handlers/distributor.ts#L43-L47

Patch

https://github.com/TxtDot/txtdot/commit/f241a46e05b148a39b84bf956051b5aaa489949e

Patch

https://github.com/TxtDot/txtdot/security/advisories/GHSA-4c78-229v-hf6m

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-41813

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-41813

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-41813

EUVD