CVE-2021-25939

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-25939

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25939.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-25939

Published

2022-02-09T13:15:08.447Z

Modified

2026-04-10T06:15:04.006684Z

Severity

2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.

References

Affected packages

Git / github.com/arangodb/arangodb

Affected ranges

Type

GIT

Repo

https://github.com/arangodb/arangodb

Events

Introduced

6285548e9a094f517fb28f58192d1d29be0f4f37

Last affected

1599d1db57279467472219d6b01c1248a685834b

Fixed

d7b35a6884c6b2802d34d79fb2a79fb2c9ec2175

Fixed

d9b7f019d2435f107b19a59190bf9cc27d5f34dd

Database specific

{
    "versions": [
        {
            "introduced": "3.7.0"
        },
        {
            "last_affected": "3.8.5.1"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25939.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.9.0-alpha1"
            }
        ]
    }
]