GitHub Advisory DatabaseGHSA-WPFF-WM84-X5CXMobile Security Framework (MobSF) vulnerable to SSRF in firebase database check
6.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
7 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
26.4%
Impact
What kind of vulnerability is it? Who is impacted?
SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When malicious app is uploaded to Static analyzer, it is possible to make internal requests.
Credits: Oleg Surnin (Positive Technologies).
Patches
Has the problem been patched? What versions should users upgrade to?
v3.9.8 and above
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Code level patch
References
Are there any links users can visit to find out more?
https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373
Affected configurations
References
github.com/advisories/GHSA-wpff-wm84-x5cx
github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716
github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373
github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx
nvd.nist.gov/vuln/detail/CVE-2024-31215
Related
6.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
7 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
26.4%