In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: Mend

Published: 2022-02-09T12:15:14.213568Z

Updated: 2024-09-16T18:29:04.751Z

Reserved: 2021-01-22T00:00:00

Link: CVE-2021-25939

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-02-09T13:15:08.447

Modified: 2024-11-21T05:55:38.513

Link: CVE-2021-25939

cve-icon Redhat

Severity : Moderate

Publid Date: 2022-02-09T00:00:00Z

Links: CVE-2021-25939 - Bugzilla