CVE-2024-37818

CVE

High

Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image. This vulnerability …

CVSS

8.6

High

EPSS

0.01

p41

Published

2024-01-01

Updated

2024-01-01

Description

Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image. This vulnerability allows attackers to scan for open ports or access sensitive information via a crafted GET request. NOTE: The Strapi Development Community argues that this issue is not valid. They contend that "the strapi/admin was wrongly attributed a flaw that only pertains to the strapi.io website, and which, at the end of the day, does not pose any real SSRF risk to applications that make use of the Strapi library."

Tags · CWE

Pre-auth

CWE-918

CAPEC-664

Affected products

Strapi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Timeline

2024-01-01

Published

2024-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Privileges Required

PR: N

None (N)

User Interaction

UI: N

None (N)

Scope

S: C

Changed (C)

Confidentiality Impact

C: H

High (H)

Integrity Impact

I: N

None (N)

Availability Impact

A: N

None (N)

Exploit indicators

EPSS

0.006 · p41

Known exploited (KEV)

Known exploits — Сканер-ВС

No Сканер-ВС checks registered for this vulnerability yet.

Affected products

Strapi

Product	Vendor	Status
strapi	*	Tracked

Source databases

CVE

External references

https://medium.com/%40barkadevaibhav491/server-side-request-forgery-in-strapi-e02d5fe218ab@https://strapi.io/@https://medium.com/%40barkadevaibhav491/server-side-request-forgery-in-strapi-e02d5fe218ab@https://strapi.io/