Description

imgproxy allows an unauthenticated attacker to send arbitrary requests to perform lookups on the internal network which is otherwise not accessible externally. An attacker may use this feature to perform SSRF (server-side request forgery) attacks on the server.

Remediation

Upgrade to the latest version of imgproxy

References

imgproxy is vulnerable to Server-Side Request Forgery

CVE-2023-30019: SSRF in imgproxy<=3.14.0

Related Vulnerabilities

PHP Improper Link Resolution Before File Access ('Link Following') Vulnerability (CVE-2014-5459)

Joomla Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2019-10945)

SharePoint CVE-2020-16941 Vulnerability (CVE-2020-16941)

Oracle Database Server CVE-2013-3789 Vulnerability (CVE-2013-3789)

MongoDb Other Vulnerability (CVE-2020-7929)

Severity

Medium

Classification

CVE-2023-30019 CWE-918 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Tags

Acumonitor SSRF Known Vulnerabilities