CVE-2023-46746 - OpenCVE

PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host. A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog. Posthog did not verify whether a URL was local when enabling webhooks, allowing authenticated users to forge a POST request. This vulnerability has been addressed in `22bd5942` and will be included in subsequent releases. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Posthog	Posthog

Configuration 1 [-]

cpe:2.3:a:posthog:posthog:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292
https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c
https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-12-01T21:53:19.584Z

Updated: 2024-08-02T20:53:20.967Z

Reserved: 2023-10-25T14:30:33.753Z

Link: CVE-2023-46746

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-01T22:15:10.167

Modified: 2023-12-11T19:15:08.763

Link: CVE-2023-46746

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-46746", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-10-25T14:30:33.753Z", "datePublished": "2023-12-01T21:53:19.584Z", "dateUpdated": "2024-08-02T20:53:20.967Z"}, "containers": {"cna": {"title": "Authenticated PostHog users vulnerable to SSRF", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c"}, {"name": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292", "tags": ["x_refsource_MISC"], "url": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292"}, {"name": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/", "tags": ["x_refsource_MISC"], "url": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/"}], "affected": [{"vendor": "PostHog", "product": "posthog", "versions": [{"version": "<=1.43.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-12-11T18:25:11.493Z"}, "descriptions": [{"lang": "en", "value": "PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host. A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog. Posthog did not verify whether a URL was local when enabling webhooks, allowing authenticated users to forge a POST request. This vulnerability has been addressed in `22bd5942` and will be included in subsequent releases. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-wqqw-r8c5-j67c", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T20:53:20.967Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c"}, {"name": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292"}, {"name": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:posthog:posthog:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA68EBBF-D850-4812-BEF5-05E2EDE7FA28", "versionEndIncluding": "1.43.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host. A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog. Posthog did not verify whether a URL was local when enabling webhooks, allowing authenticated users to forge a POST request. This vulnerability has been addressed in `22bd5942` and will be included in subsequent releases. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "PostHog proporciona an\u00e1lisis de productos de c\u00f3digo abierto, grabaci\u00f3n de sesiones, marcado de funciones y pruebas A/B que usted mismo puede alojar. En Posthog se encontr\u00f3 server-side request forgery (SSRF), que s\u00f3lo puede ser explotada por usuarios autenticados. Posthog no verific\u00f3 si una URL era local al habilitar los webhooks, lo que permiti\u00f3 a los usuarios autenticados falsificar una solicitud POST. Esta vulnerabilidad se solucion\u00f3 en `22bd5942` y se incluir\u00e1 en versiones posteriores. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2023-46746", "lastModified": "2023-12-11T19:15:08.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-12-01T22:15:10.167", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/PostHog/posthog/commit/22bd5942638d5d9bc4bd603a9bfe8f8a95572292"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/PostHog/posthog/security/advisories/GHSA-wqqw-r8c5-j67c"}, {"source": "security-advisories@github.com", "url": "https://securitylab.github.com/advisories/GHSL-2023-185_posthog_posthog/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}