CVE-2022-23071 - Vulnerability Details - OpenCVE

In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Tandoor	Recipes

Configuration 1 [-]

cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/TandoorRecipes/recipes/commit/d48fe26a3529cc1ee903ffb2758dfd8f7efaba8c
https://www.mend.io/vulnerability-database/CVE-2022-23071

History

No history.

MITRE

Status: PUBLISHED

Assigner: Mend

Published: 2022-06-19T10:15:14.995455Z

Updated: 2024-09-17T02:16:41.615Z

Reserved: 2022-01-10T00:00:00

Link: CVE-2022-23071

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-06-19T11:15:07.810

Modified: 2024-11-21T06:47:55.497

Link: CVE-2022-23071

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "recipes", "vendor": "recipes", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "0.9.1", "versionType": "custom"}, {"lessThanOrEqual": "1.2.5", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Mend Vulnerability Research Team (MVR)"}], "datePublic": "2022-01-11T00:00:00", "descriptions": [{"lang": "en", "value": "In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the \u201cImport Recipe\u201d functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information."}], "metrics": [{"other": {"content": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": 3.1}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-19T10:15:14", "orgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "shortName": "Mend"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-23071"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/TandoorRecipes/recipes/commit/d48fe26a3529cc1ee903ffb2758dfd8f7efaba8c"}], "solutions": [{"lang": "en", "value": "Update version to 1.2.6 or later"}], "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}, "title": "Recipes - SSRF on Import", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vulnerabilitylab@whitesourcesoftware.com", "DATE_PUBLIC": "Jan 11, 2022, 3:10:07 PM", "ID": "CVE-2022-23071", "STATE": "PUBLIC", "TITLE": "Recipes - SSRF on Import"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "recipes", "version": {"version_data": [{"version_affected": ">=", "version_value": "0.9.1"}, {"version_affected": "<=", "version_value": "1.2.5"}]}}]}, "vendor_name": "recipes"}]}}, "credit": [{"lang": "eng", "value": "Mend Vulnerability Research Team (MVR)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the \u201cImport Recipe\u201d functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": 3.1}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-918 Server-Side Request Forgery (SSRF)"}]}]}, "references": {"reference_data": [{"name": "https://www.mend.io/vulnerability-database/CVE-2022-23071", "refsource": "MISC", "url": "https://www.mend.io/vulnerability-database/CVE-2022-23071"}, {"name": "https://github.com/TandoorRecipes/recipes/commit/d48fe26a3529cc1ee903ffb2758dfd8f7efaba8c", "refsource": "MISC", "url": "https://github.com/TandoorRecipes/recipes/commit/d48fe26a3529cc1ee903ffb2758dfd8f7efaba8c"}]}, "solution": [{"lang": "en", "value": "Update version to 1.2.6 or later"}], "source": {"advisory": "https://www.mend.io/vulnerability-database/", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:28:43.267Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-23071"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/TandoorRecipes/recipes/commit/d48fe26a3529cc1ee903ffb2758dfd8f7efaba8c"}]}]}, "cveMetadata": {"assignerOrgId": "478c68dd-22c1-4a41-97cd-654224dfacff", "assignerShortName": "Mend", "cveId": "CVE-2022-23071", "datePublished": "2022-06-19T10:15:14.995455Z", "dateReserved": "2022-01-10T00:00:00", "dateUpdated": "2024-09-17T02:16:41.615Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8A1ACAA-A43E-48E9-8406-A8F8F8EF6B45", "versionEndIncluding": "1.2.5", "versionStartIncluding": "0.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the \u201cImport Recipe\u201d functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information."}, {"lang": "es", "value": "En Recipes, versiones 0.9.1 hasta 1.2.5, son vulnerables a un ataque de tipo Server Side Request Forgery (SSRF), en la funcionalidad \u201cImport Recipe\u201d. Cuando un atacante entra en la URL de localhost, un atacante con pocos privilegios puede acceder/leer el sistema de archivos interno para acceder a informaci\u00f3n confidencial"}], "id": "CVE-2022-23071", "lastModified": "2024-11-21T06:47:55.497", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-19T11:15:07.810", "references": [{"source": "vulnerabilitylab@mend.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/TandoorRecipes/recipes/commit/d48fe26a3529cc1ee903ffb2758dfd8f7efaba8c"}, {"source": "vulnerabilitylab@mend.io", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-23071"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/TandoorRecipes/recipes/commit/d48fe26a3529cc1ee903ffb2758dfd8f7efaba8c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://www.mend.io/vulnerability-database/CVE-2022-23071"}], "sourceIdentifier": "vulnerabilitylab@mend.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "vulnerabilitylab@mend.io", "type": "Secondary"}]}