CVE-2024-41668

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-41668

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41668.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-41668

Aliases

GHSA-9h44-r3c3-q7rm

Published

2024-07-23T18:14:41.169Z

Modified

2026-04-12T08:40:55.850235Z

Severity

8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator

Summary

cBioPortal Proxy Endpoint Vulnerabliity

Details

The cBioPortal for Cancer Genomics provides visualization, analysis, and download of large-scale cancer genomics data sets. When running a publicly exposed proxy endpoint without authentication, cBioPortal could allow someone to perform a Server Side Request Forgery (SSRF) attack. Logged in users could do the same on private instances. A fix has been released in version 6.0.12. As a workaround, one might be able to disable /proxy endpoint entirely via, for example, nginx.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41668.json"
}

References

Affected packages

Git / github.com/cbioportal/cbioportal

Affected ranges

Type: GIT
Repo: https://github.com/cbioportal/cbioportal
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5

Type: GIT
Repo: https://github.com/cbioportal/cbioportal
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

608fca4d4c33ec473c5a847e57bf0394860c1dd4

Type: GIT
Repo: https://github.com/cbioportal/cbioportal
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5

Type: GIT
Repo: https://github.com/cbioportal/cbioportal
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

608fca4d4c33ec473c5a847e57bf0394860c1dd4

Affected versions

Other

untagged-46e68095e194ee3ab21c

untagged-5c091fa4fd789aa79296

v1.*

v1.0.0

v1.1.0

v1.2.1

v1.2.2

v1.2.4

v1.2.5

v1.3.0

v3.*

v3.2.0

v3.2.1

v3.2.10

v3.2.11

v3.2.12

v3.2.13

v3.2.14

v3.2.15

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.8

v3.2.9

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.4.0

v3.4.1

v3.4.10

v3.4.11

v3.4.12

v3.4.13

v3.4.14

v3.4.15

v3.4.16

v3.4.17

v3.4.18

v3.4.19

v3.4.2

v3.4.20

v3.4.21

v3.4.22

v3.4.23

v3.4.3

v3.4.4

v3.4.5

v3.4.6

v3.4.7

v3.4.8

v3.4.9

v3.5.0

v3.5.1

v3.5.2

v3.5.3

v3.5.4

v3.5.5

v3.6.0

v3.6.1

v3.6.10

v3.6.11

v3.6.12

v3.6.13

v3.6.14

v3.6.15

v3.6.16

v3.6.17

v3.6.18

v3.6.19

v3.6.2

v3.6.20

v3.6.21

v3.6.22

v3.6.3

v3.6.4

v3.6.5

v3.6.6

v3.6.7

v3.6.8

v3.6.9

v3.7.0

v3.7.1

v3.7.10

v3.7.11

v3.7.12

v3.7.13

v3.7.14

v3.7.15

v3.7.16

v3.7.17

v3.7.18

v3.7.19

v3.7.2

v3.7.20

v3.7.21

v3.7.22

v3.7.24

v3.7.25

v3.7.26

v3.7.27

v3.7.28

v3.7.29

v3.7.3

v3.7.30

v3.7.4

v3.7.5

v3.7.6

v3.7.7

v3.7.8

v3.7.9

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.1.0

v4.1.1

v4.1.10

v4.1.11

v4.1.13

v4.1.14

v4.1.15

v4.1.16

v4.1.17

v4.1.18

v4.1.19

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.1.7

v4.1.8

v4.1.9

v5.*

v5.0.0

v5.0.1

v5.0.2

v5.1.0

v5.1.1

v5.1.10

v5.1.2

v5.1.3

v5.1.4

v5.1.5

v5.1.6

v5.1.7

v5.1.9

v5.2.0

v5.2.1

v5.2.10

v5.2.11

v5.2.2

v5.2.3

v5.2.4

v5.2.5

v5.2.6

v5.2.7

v5.2.8

v5.2.9

v5.3.0

v5.3.1

v5.3.10

v5.3.11

v5.3.12

v5.3.13

v5.3.14

v5.3.15

v5.3.16

v5.3.17

v5.3.18

v5.3.19

v5.3.2

v5.3.3

v5.3.4

v5.3.5

v5.3.6

v5.3.7

v5.3.8

v5.3.9

v5.4.0

v5.4.1

v5.4.10

v5.4.2

v5.4.3

v5.4.4

v5.4.5

v5.4.6

v5.4.7

v5.4.9

v6.*

v6.0.0

v6.0.1

v6.0.10

v6.0.11

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v6.0.7

v6.0.8

v6.0.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41668.json"

vanir_signatures

[
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 664.0,
            "function_hash": "238874441046744172239768969093348959863"
        },
        "source": "https://github.com/cbioportal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5",
        "target": {
            "function": "proxyOncokb",
            "file": "src/main/java/org/cbioportal/proxy/ProxyController.java"
        },
        "id": "CVE-2024-41668-0d06e2f5"
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 359.0,
            "function_hash": "166124581723100463919540991221151501983"
        },
        "source": "https://github.com/cbioportal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5",
        "target": {
            "function": "getResourceStream",
            "file": "src/main/java/org/cbioportal/proxy/ProxyController.java"
        },
        "id": "CVE-2024-41668-2327bc48"
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 381.0,
            "function_hash": "76800250832716251250644907473172298692"
        },
        "source": "https://github.com/cbioportal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5",
        "target": {
            "function": "legacyProxyOncokb",
            "file": "src/main/java/org/cbioportal/proxy/ProxyController.java"
        },
        "id": "CVE-2024-41668-49baf616"
    },
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "8354877051200179143885715019814167995",
                "72902551453453994601450282133068433592",
                "135827395203083931367040569756682611935",
                "18548600988054522750782093557097390862",
                "112211257960498706423123175625586661845",
                "148766345394678077781696193336077211791",
                "72223570526924517005209613040156459897",
                "204432403054961511955038099375169281483",
                "267118966942296435619347321477997971928",
                "39917716663608181141736465198567593231",
                "305335121461463043937057044381077956266",
                "326932533834118964228308266445297821054",
                "3758464119841610449366124403698280602",
                "168092101465021717695833810349845288288",
                "253238563998290816766496874999970737873",
                "95223153768397238913085480492184576463",
                "145060772487337941004386728651590509332",
                "283951869101973464169259344206255403819",
                "210956852007339621658987849372997160142",
                "13568177450940027457379386503114833998",
                "220969762108262327553331472298625139059",
                "219858847519542479240904008556779363687",
                "338356937399769817305536664144226453521",
                "135043083403866673701594170477228093181",
                "102708910527602459478824782428490500947",
                "235493256509805757877837575425515173587",
                "1838450600435645437807213326223068523",
                "311982301745535983708004852235301468699",
                "177933817490325708204341014397170054752",
                "196362055903086841378029281786594054181",
                "336186904764430584905803029872666036593",
                "259702291865779899610467330553460525013",
                "249165489594268425707324670149097010421",
                "259280750076012808959141630493983774000",
                "70396249472224727347146625628125271926",
                "327077872392082455297238740354159009247",
                "261258771608801193975908030506653046396",
                "19711228540635705255693785010681309979",
                "65899982903293132329473320864105094226",
                "195707193699073760313831174810613990653",
                "124332062058603657569178309585998293098",
                "156593448092957614727213633838574806776",
                "125902588296500553616911334504217644831",
                "135748153207064906179650867736160208470",
                "251766708223733774204674078062496463684",
                "116132242844887654937026730063059000874",
                "277184359444174292979413560249451519960",
                "175647377744998651005936866523018914087",
                "157318899888597408224580137104834486613",
                "85663181714287677924210704068304069903",
                "64274718598404650118185951498162554566",
                "188292374726817759709904545680460622728",
                "53036563161135920211317499648064277341",
                "257506418723880822106781857295083894285",
                "291398333416626106492059405111953077058",
                "126438349394858955575471946305193116081",
                "54743675216092119265544678838710793950",
                "32293087934973129798924105547652987105",
                "8671692575176623003781666295790871887",
                "106388058172764832643611546392090845558",
                "237372832122560731681815044539222612865",
                "263536508753570317572460760414280305024",
                "139799709574148996661811010171938209317",
                "87407113120595751369552967913597597861",
                "158490835128830315507637694755169260716",
                "239250060498075521659663342884255419105",
                "197142195094322652825965832275741783287",
                "260993492727158696324375086209679962232",
                "283907604332723483967936762641396439815",
                "138042952853629368011895018935779574889",
                "114940778428090411245254156749585490735",
                "224733574064580313708612970795389068756",
                "143883635632103900561784487296743508427",
                "57657196577827041445961217379050884353",
                "20350268626851155060413178453599354855",
                "290396674159461984150954684565784527071",
                "59891531092610484973916748844102728021",
                "19721517004247828111536962117016804626",
                "253837556512803838468432784938165475362",
                "214899410150797638851707618659324806024",
                "199248690576950491109308563139499721641",
                "108611427212721053567490460099004993366",
                "323658091525524919526299586186225972015",
                "48003330313242537578296083376324978983",
                "29498782237188282681149796935693081141",
                "336408347358928856961986043291792375100",
                "84817024728040376600323882131420764115",
                "328086463338275044213974799726024192162",
                "121741212233623446526354701526773591046",
                "91583527215201956575026898824937672333",
                "203176561898984189317864381306388329581",
                "336545993650229207212457576731521981156",
                "72605066940940105482441978494300034775",
                "227629035929039151149534853771040721132",
                "247117166964092623313424840819237673365",
                "125534952303568367614587706973143550148",
                "24722823720409637997248729103310620579",
                "102431171181372344490612563828118282567",
                "99986935915462254261954921131931594424",
                "157647418324818693119227500814515445612",
                "11395130075276978956110231771730223196"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/cbioportal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5",
        "target": {
            "file": "src/main/java/org/cbioportal/proxy/ProxyController.java"
        },
        "id": "CVE-2024-41668-954ddd36"
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 244.0,
            "function_hash": "121574912790120695669677442512621963020"
        },
        "source": "https://github.com/cbioportal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5",
        "target": {
            "function": "loadProperties",
            "file": "src/main/java/org/cbioportal/proxy/ProxyController.java"
        },
        "id": "CVE-2024-41668-bd528b19"
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 409.0,
            "function_hash": "247236920457912702755253625304329297215"
        },
        "source": "https://github.com/cbioportal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5",
        "target": {
            "function": "proxy",
            "file": "src/main/java/org/cbioportal/proxy/ProxyController.java"
        },
        "id": "CVE-2024-41668-edd6bf26"
    }
]

vanir_signatures_modified

"2026-04-12T08:40:55Z"