Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-27163: request-baskets SSRF details - CodiMD

request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.

CVE
#sql#vulnerability#web#mac#nginx#ssrf#auth#docker#ssl

# request-baskets SSRF details Follow the official documentation to start forem with docker installation. ![](https://notes.sjtu.edu.cn/uploads/upload_f37294d56f74b588fac26542b22f7624.png) Then, we log in to the administrator background: ![](https://notes.sjtu.edu.cn/uploads/upload_5fa5fdd0cd07c6d78a8e34f54c839f3d.png) The following API’s forward_url parameter is vulnerable to SSRF: 1. /api/baskets/{name} 2. /baskets/{name} Let’s take /api/baskets/{name} API as an example, another API is the same vulnerability. We use the following payload to post /api/baskets/{name} API: ``` { "forward_url": "http://127.0.0.1:80/test", "proxy_response": false, "insecure_tls": false, "expand_path": true, "capacity": 250 } ``` ![](https://notes.sjtu.edu.cn/uploads/upload_2f8962255d21885cb2c34b95a1baa801.png) Direct post can only set the url, you need to visit the url - http://192.168.175.213:55555/test to trigger the SSRF vulnerability. ![](https://notes.sjtu.edu.cn/uploads/upload_8371c9701d7823878b9cc0cb4a6d44b4.png) # Influence: **Information Disclosure and Exfiltration** This was previously identified as an issue. Requests for images that are unauthenticated can lead to the leak of all existing images in the server. However, this isn’t limited to just images. Any resource that can be obtained via an HTTP request on the local network of the webserver can be obtained remotely via this request. **Unauthenticated Access to Internal Network HTTP Servers** The SSRF attack can be leveraged to connect to any HTTP Server connected to the same network as the request-baskets server, for instance an Nginx server exposed only internally, an internal RESTful API, such as a NoSQL database, or a GraphQL database. This is not limited just to services hosted on the local machine, but all the machines connected on the local network. **Port and IP Scanning and Enumeration** This vulnerability can be leveraged to port scan for HTTP servers both internal and external services on demand, as well as enumerating all the machines in the local network that have open HTTP ports.

Related news

Maltrail 0.53 Remote Code Execution

Maltrail version 0.53 suffers from an unauthenticated remote code execution vulnerability.

Request-Baskets 1.2.1 Server-Side Request Forgery

Request-Baskets version 1.2.1 suffers from a server-side request forgery vulnerability.

GHSA-58g2-vgpg-335q: request-baskets vulnerable to Server-Side Request Forgery

request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907