Lucene search

Veracode Vulnerability DatabaseVERACODE:46232

HistoryApr 05, 2024 - 10:14 a.m.

Server Side Request Forgery

2024-04-0510:14:49

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

mobsf

server side request forgery

vulnerability

firebase

database

check logic

attackers

internal services

infrastructure

malicious app

static analyzer

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

6.9 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

26.4%

JSON

mobsf is vulnerable to Server Side Request Forgery. The vulnerability is due to a flaw in the firebase database check logic, allowing attackers to manipulate the server to make connections to internal-only services within the organization’s infrastructure when a malicious app is uploaded to the Static analyzer.

CPENameOperatorVersion
mobsfle3.9.7
mobsfle3.9.7

CPE	Name	Operator	Version
	mobsf	le	3.9.7
	mobsf	le	3.9.7

References

github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716

github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373

github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx