CVE-2023-30019
MEDIUM5.3EPSS 70.6%imgproxy is vulnerable to Server-Side Request Forgery
Published: 5/8/2023Modified: 8/20/2024
Description
imgproxy prior to version 3.15.0 is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of sanitization of the imageURL parameter.
Affected packages (4)
- Go/github.com/imgproxy/imgproxyfrom 0
- Go/github.com/imgproxy/imgproxy/v2from 0
- Go/github.com/imgproxy/imgproxy/v3from 0, < 3.15.0
- Go/github.com/imgproxy/imgproxy/v3from 0, < 3.15.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
References (6)
- ADVISORYhttps://github.com/advisories/GHSA-9x7h-ggc3-xg47
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-30019
- PATCHhttps://github.com/imgproxy/imgproxy
- WEBhttps://breakandpray.com/cve-2023-30019-ssrf-in-imgproxy
- WEBhttps://github.com/imgproxy/imgproxy/blob/ee9e8f0cb101ec22318caffd552a23cc0548d5ce/imagedata/download.go#L142
- WEBhttps://github.com/imgproxy/imgproxy/commit/1a9768a2c682e88820064aa3d9a05ea234ff3cc4