Lucene search

GitHub_MCVELIST:CVE-2022-23644

HistoryFeb 16, 2022 - 6:20 p.m.

CVE-2022-23644 Server-side request forgery in BookWyrm

2022-02-1618:20:09

CWE-918

GitHub_M

www.cve.org

bookwyrm

social network

server-side request forgery

vulnerability

version 0.3.0

patch

administrators

registration

trusted individuals

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

BookWyrm is a decentralized social network for tracking reading habits and reviewing books. The functionality to load a cover via url is vulnerable to a server-side request forgery attack. Any BookWyrm instance running a version prior to v0.3.0 is susceptible to attack from a logged-in user. The problem has been patched and administrators should upgrade to version 0.3.0 As a workaround, BookWyrm instances can close registration and limit members to trusted individuals.

CNA Affected

[
  {
    "product": "bookwyrm",
    "vendor": "bookwyrm-social",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.3.0"
      }
    ]
  }
]

References

github.com/bookwyrm-social/bookwyrm/security/advisories/GHSA-5m7g-66h6-5cvq

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

Related for CVELIST:CVE-2022-23644