CVE-2023-40017 – geonode

Package

Manager: pip
Name: geonode
Vulnerable Version: >=3.2.0 <4.2.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00085 pctl0.25497

Details

GeoNode Server Side Request forgery ### Summary A server side request forgery vuln was found within geonode when testing on a bug bounty program. Server side request forgery allows a user to request information on the internal service/services. ### Details The endpoint /proxy/?url= does not properly protect against SSRF. when using the following format you can request internal hosts and display data. /proxy/?url=http://169.254.169.254\@whitelistedIPhere. This will state wether the AWS internal IP is alive. If you get a 404, the host is alive. A non alive host will not display a response. To display metadata, use a hashfrag on the url /proxy/?url=http://169.254.169.254\@#whitelisteddomain.com or try /proxy/?url=http://169.254.169.254\@%23whitelisteddomain.com ### Impact Port scan internal hosts, and request information from internal hosts.

Metadata

Created: 2024-11-21T22:22:03Z
Modified: 2024-11-21T22:22:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-rmxg-6qqf-x8mr/GHSA-rmxg-6qqf-x8mr.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-rmxg-6qqf-x8mr
Finding: F100
Auto approve: 1