{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23336", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.443Z", "datePublished": "2024-05-01T06:27:37.987Z", "dateUpdated": "2024-08-01T22:59:32.176Z"}, "containers": {"cna": {"title": "Incomplete disallowed remote addresses list in MyBB", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h"}, {"name": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630", "tags": ["x_refsource_MISC"], "url": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630"}, {"name": "https://docs.mybb.com/1.8/administration/configuration-file", "tags": ["x_refsource_MISC"], "url": "https://docs.mybb.com/1.8/administration/configuration-file"}, {"name": "https://mybb.com/versions/1.8.38", "tags": ["x_refsource_MISC"], "url": "https://mybb.com/versions/1.8.38"}], "affected": [{"vendor": "mybb", "product": "mybb", "versions": [{"version": "< 1.8.38", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-01T06:27:37.987Z"}, "descriptions": [{"lang": "en", "value": "MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list."}], "source": {"advisory": "GHSA-qfrj-65mv-h75h", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "mybb", "product": "mybb", "cpes": ["cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.8.38", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-01T13:48:54.371730Z", "id": "CVE-2024-23336", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T14:06:34.074Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.176Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h"}, {"name": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630"}, {"name": "https://docs.mybb.com/1.8/administration/configuration-file", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://docs.mybb.com/1.8/administration/configuration-file"}, {"name": "https://mybb.com/versions/1.8.38", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://mybb.com/versions/1.8.38"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h", "name": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630", "name": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://docs.mybb.com/1.8/administration/configuration-file", "name": "https://docs.mybb.com/1.8/administration/configuration-file", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://mybb.com/versions/1.8.38", "name": "https://mybb.com/versions/1.8.38", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.176Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23336", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-01T13:48:54.371730Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*"], "vendor": "mybb", "product": "mybb", "versions": [{"status": "affected", "version": "0", "lessThan": "1.8.38", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-01T13:50:49.060Z"}}], "cna": {"title": "Incomplete disallowed remote addresses list in MyBB", "source": {"advisory": "GHSA-qfrj-65mv-h75h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "mybb", "product": "mybb", "versions": [{"status": "affected", "version": "< 1.8.38"}]}], "references": [{"url": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h", "name": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630", "name": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630", "tags": ["x_refsource_MISC"]}, {"url": "https://docs.mybb.com/1.8/administration/configuration-file", "name": "https://docs.mybb.com/1.8/administration/configuration-file", "tags": ["x_refsource_MISC"]}, {"url": "https://mybb.com/versions/1.8.38", "name": "https://mybb.com/versions/1.8.38", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-184", "description": "CWE-184: Incomplete List of Disallowed Inputs"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-01T06:27:37.987Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23336", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:59:32.176Z", "dateReserved": "2024-01-15T15:19:19.443Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-01T06:27:37.987Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list."}, {"lang": "es", "value": "MyBB es un software de foro gratuito y de c\u00f3digo abierto. La lista predeterminada de hosts remotos no permitidos no contiene el bloque `127.0.0.0/8`, lo que puede provocar una vulnerabilidad de Server Side Request Forgery (SSRF). La lista de _Direcciones remotas no permitidas_ del archivo de configuraci\u00f3n (\"$config['disallowed_remote_addresses']`) contiene la direcci\u00f3n `127.0.0.1`, pero no incluye el bloque completo `127.0.0.0/8`. MyBB 1.8.38 resuelve este problema en las instalaciones predeterminadas. Los administradores de las placas instaladas deben actualizar la configuraci\u00f3n existente (`inc/config.php`) para incluir todas las direcciones bloqueadas de forma predeterminada. Adem\u00e1s, se recomienda a los usuarios que verifiquen que incluya otras direcciones IPv4 que se resuelvan en el servidor y otros recursos internos. Los usuarios que no puedan actualizar pueden agregar manualmente 127.0.0.0/8' a su lista de direcciones no permitidas."}], "id": "CVE-2024-23336", "lastModified": "2024-05-01T13:01:51.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-01T07:15:38.660", "references": [{"source": "security-advisories@github.com", "url": "https://docs.mybb.com/1.8/administration/configuration-file"}, {"source": "security-advisories@github.com", "url": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630"}, {"source": "security-advisories@github.com", "url": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h"}, {"source": "security-advisories@github.com", "url": "https://mybb.com/versions/1.8.38"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}