CVE-2023-44313 - OpenCVE

Server-Side Request Forgery (SSRF) vulnerability in Apache ServiceComb Service-Center. Attackers can obtain sensitive server information through specially crafted requests.This issue affects Apache ServiceComb before 2.1.0(include). Users are recommended to upgrade to version 2.2.0, which fixes the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Servicecomb

Configuration 1 [-]

cpe:2.3:a:apache:servicecomb:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/01/31/4
https://lists.apache.org/thread/kxovd455o9h4f2v811hcov2qknbwld5r

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-01-31T08:49:45.962Z

Updated: 2024-08-02T19:59:52.116Z

Reserved: 2023-09-28T13:17:56.101Z

Link: CVE-2023-44313

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-31T09:15:43.920

Modified: 2024-02-08T17:13:28.083

Link: CVE-2023-44313

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-44313", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-09-28T13:17:56.101Z", "datePublished": "2024-01-31T08:49:45.962Z", "dateUpdated": "2024-08-02T19:59:52.116Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache ServiceComb Service-Center", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.1.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "\u82cf \u5b89 <suanwell@hotmail.com>"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Server-Side Request Forgery (SSRF) vulnerability in Apache ServiceComb Service-Center. Attackers can obtain sensitive server information through specially crafted requests.<p>This issue affects Apache ServiceComb before 2.1.0(include).</p><p>Users are recommended to upgrade to version 2.2.0, which fixes the issue.</p>"}], "value": "Server-Side Request Forgery (SSRF) vulnerability in Apache ServiceComb Service-Center. Attackers can obtain sensitive server information through specially crafted requests.This issue affects Apache ServiceComb before 2.1.0(include).\n\nUsers are recommended to upgrade to version 2.2.0, which fixes the issue.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-01-31T08:49:45.962Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/kxovd455o9h4f2v811hcov2qknbwld5r"}, {"url": "http://www.openwall.com/lists/oss-security/2024/01/31/4"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache ServiceComb Service-Center: attacker can perform SSRF through the frontend API", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:59:52.116Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/kxovd455o9h4f2v811hcov2qknbwld5r"}, {"url": "http://www.openwall.com/lists/oss-security/2024/01/31/4", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:servicecomb:*:*:*:*:*:*:*:*", "matchCriteriaId": "42A1CA41-0FBA-401D-BDCB-86E169C784E1", "versionEndExcluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Server-Side Request Forgery (SSRF) vulnerability in Apache ServiceComb Service-Center. Attackers can obtain sensitive server information through specially crafted requests.This issue affects Apache ServiceComb before 2.1.0(include).\n\nUsers are recommended to upgrade to version 2.2.0, which fixes the issue.\n\n"}, {"lang": "es", "value": "Vulnerabilidad de Server-Side Request Forgery (SSRF) en Apache ServiceComb Service-Center. Los atacantes pueden obtener informaci\u00f3n confidencial del servidor a trav\u00e9s de solicitudes especialmente manipuladas. Este problema afecta a Apache ServiceComb anterior a 2.1.0 (incluido). Se recomienda a los usuarios actualizar a la versi\u00f3n 2.2.0, que soluciona el problema."}], "id": "CVE-2023-44313", "lastModified": "2024-02-08T17:13:28.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security@apache.org", "type": "Secondary"}]}, "published": "2024-01-31T09:15:43.920", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/01/31/4"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.apache.org/thread/kxovd455o9h4f2v811hcov2qknbwld5r"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security@apache.org", "type": "Primary"}]}