Lucene search

[email protected]NVD:CVE-2022-23071

HistoryJun 19, 2022 - 11:15 a.m.

CVE-2022-23071

2022-06-1911:15:07

CWE-918

[email protected]

web.nvd.nist.gov

recipes

ssrf

vulnerability

server side request forgery

import recipe

localhost url

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

30.4%

JSON

In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information.

Affected configurations

Nvd

Node

tandoorrecipesRange0.9.1–1.2.5

VendorProductVersionCPE
tandoorrecipes*cpe:2.3:a:tandoor:recipes:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
tandoor	recipes	*	cpe:2.3:a:tandoor:recipes::::::::

References

github.com/TandoorRecipes/recipes/commit/d48fe26a3529cc1ee903ffb2758dfd8f7efaba8c

www.mend.io/vulnerability-database/CVE-2022-23071

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

30.4%

JSON

Related for NVD:CVE-2022-23071

osv1 prion1 cvelist1 cve1