GHSA-q348-f93x-9gx4

Source

https://github.com/advisories/GHSA-q348-f93x-9gx4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-q348-f93x-9gx4/GHSA-q348-f93x-9gx4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q348-f93x-9gx4

Aliases

CVE-2021-30492

Published

2021-04-29T21:53:06Z

Modified

2024-12-02T05:55:17.026669Z

Summary

Lack of Input Validation in zendesk_api_client_php for Zendesk Subdomain

Details

Impact

Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF).

Resolution

Validate the provided Zendesk subdomain to be a valid subdomain in: * getAuthUrl * getAccessToken

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-20",
        "CWE-918"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-28T22:29:16Z"
}

References

Affected packages

Packagist / zendesk/zendesk_api_client_php

Package

Name: zendesk/zendesk_api_client_php
Purl: pkg:composer/zendesk/zendesk_api_client_php

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.11

Affected versions

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.2.0

v1.2.1

2.*

2.0.0-beta

2.0.9

v2.*

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.1.7

v2.1.8

v2.1.9

v2.1.10

v2.1.11

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.2.10