Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-33581: advisories/2021/CVE-2021-33581 at master · blackarrowsec/advisories

MashZone NextGen through 10.7 GA has an SSRF vulnerability that allows an attacker to interact with arbitrary TCP services, by abusing the feature to check the availability of a PPM connection. This occurs in com.idsscheer.ppmmashup.web.webservice.impl.ZPrestoAdminWebService.

CVE
Open in Source
#vulnerability#web#git

CVE-2021-33581: Server Side Request Forgery (SSRF)

Vendor: Software AG
Vendor URL: https://www.softwareag.com/corporate/products/az/mashzone_nextgen/default
Versions affected: MashZone NextGen 10.7 GA | Build 1607 (Vendor did not provide data about other affected versions)
Discovered by: Marcos Díaz
Public fix: No
Proof of Concept: No

Summary

MashZone NextGen 10.7 GA | Build 1607 and likely other/older versions, are affected by a SSRF.

Details

The HTTP endpoint /mashzone/mzservices/admin/getppmversion parameter url performs HTTP connections to arbitrary URLs.

Impact

This vulnerability can be used in combination to CVE-2021-33207 to achieve RCE.

Recommendation

Make sure you have changed the default administrative credentials. At this point we do not have information about a fix from Software AG.

Timeline

  • 19/05/2021 - Reported vulnerability to vendor
  • 31/08/2021 - A representative from Software AG asks for details
  • 30/03/2022 - Public Disclosure

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE