CVE-2024-31215 – mobsf

Package

Manager: pip
Name: mobsf
Vulnerable Version: >=0 <3.9.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

EPSS: 0.00105 pctl0.29201

Details

Mobile Security Framework (MobSF) vulnerable to SSRF in firebase database check ### Impact _What kind of vulnerability is it? Who is impacted?_ SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When malicious app is uploaded to Static analyzer, it is possible to make internal requests. Credits: Oleg Surnin (Positive Technologies). ### Patches _Has the problem been patched? What versions should users upgrade to?_ v3.9.8 and above ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Code level patch ### References _Are there any links users can visit to find out more?_ https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373

Metadata

Created: 2024-04-04T14:39:03Z
Modified: 2025-06-30T17:54:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-wpff-wm84-x5cx/GHSA-wpff-wm84-x5cx.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-wpff-wm84-x5cx
Finding: F100
Auto approve: 1