Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.
Remediation
References
Related Vulnerabilities
WordPress Plugin YOP Poll Cross-Site Scripting (5.7.3)
Apache Tomcat Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-3546)
WordPress Plugin NextGEN Gallery-WordPress Gallery Unspecified Vulnerability (2.2.46)
WordPress Plugin Emag Marketplace Connector Cross-Site Scripting (1.0.0)
Oracle Application Server Other Vulnerability (CVE-2002-0560)