Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-30019: CVE-2023-30019: SSRF in imgproxy<=3.14.0

imgproxy <= 3.6.0 is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of sanitization of the imageURL parameter.

CVE
Open in Source
#vulnerability#git#ssrf

GitHub - imgproxy/imgproxy: Fast and secure standalone server for resizing and converting remote images

Fast and secure standalone server for resizing and converting remote images - GitHub - imgproxy/imgproxy: Fast and secure standalone server for resizing and converting remote images

GitHubimgproxy

This means that an attacker can still pass loopback addresses as part of the imageURL parameter, which could allow them to exploit the vulnerability.

This vulnerability may lead to internal enumeration of internal hosts or ports, It’s error based because the application returns two error messages:

- 500 Internal Server Error (Source image is unreachable): if the URL is unreachable, which means that the host or the port is unreachable or not open.

- 422 Unprocessable Entity (Invalid source image): if the URL is reachable and the port is open.

Mitigation: https://github.com/imgproxy/imgproxy/commit/1a9768a2c682e88820064aa3d9a05ea234ff3cc4

Related news

GHSA-9x7h-ggc3-xg47: imgproxy is vulnerable to Server-Side Request Forgery

imgproxy prior to version 3.15.0 is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of sanitization of the imageURL parameter.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE