GHSA-284f-f2hw-j2gx

Source

https://github.com/advisories/GHSA-284f-f2hw-j2gx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-284f-f2hw-j2gx/GHSA-284f-f2hw-j2gx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-284f-f2hw-j2gx

Aliases

CVE-2021-22958

Published

2021-10-12T18:41:59Z

Modified

2023-11-08T04:05:02.123536Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N CVSS Calculator

Summary

Server-Side Request Forgery vulnerability in concrete5

Details

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in place for localhost allowing interaction with local services. Impact can vary depending on services exposed.

Database specific

{
    "nvd_published_at": "2021-10-07T14:15:00Z",
    "github_reviewed_at": "2021-10-08T21:44:32Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-918"
    ]
}

References

Affected packages

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.5

Affected versions

8.*

8.0

8.0.1

8.0.2

8.0.3

8.1.0

8.2.0RC2

8.2.0

8.2.1

8.3.0

8.3.1

8.3.2

8.4.0RC3

8.4.0RC4

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0RC1

8.5.0RC2

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4