Lucene search

GitHub_MCVELIST:CVE-2024-31215

HistoryApr 04, 2024 - 4:10 p.m.

CVE-2024-31215 Mobile Security Framework (MobSF) vulnerable to Server-Side Request Forgery (SSRF) in firebase database check

2024-04-0416:10:18

CWE-918

GitHub_M

www.cve.org

cve-2024-31215

mobsf

ssrf

firebase

vulnerability

patched

security

mobile

android

ios

windows mobile

static analyzer

version 3.9.8

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

26.4%

JSON

Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile.
A SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.

CNA Affected

[
  {
    "vendor": "MobSF",
    "product": "Mobile-Security-Framework-MobSF",
    "versions": [
      {
        "version": "<= 3.9.7",
        "status": "affected"
      }
    ]
  }
]

References

github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716

github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373

github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx