In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: Mend
Published: 2022-02-09T12:15:14.213568Z
Updated: 2024-09-16T18:29:04.751Z
Reserved: 2021-01-22T00:00:00
Link: CVE-2021-25939
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-02-09T13:15:08.447
Modified: 2024-11-21T05:55:38.513
Link: CVE-2021-25939
Redhat