CVE-2024-54000
HIGH7.5EPSS 0.23%MobSF vulnerability allows SSRF due to the allow_redirects=True parameter
Description
### Summary The fix for the "SSRF Vulnerability on assetlinks_check(act_name, well_knowns)" vulnerability could potentially be bypassed. ### Details Since the requests.get() request in the _check_url method is specified as allow_redirects=True, if "https://mydomain.com/.well-known/assetlinks.json" returns a 302 redirect, subsequent requests will be sent automatically. If the redirect location is "http://192.168.1.102/user/delete/1", a request will be sent here as well. <img width="610" alt="image" src="https://github.com/MobSF/Mobile-Security-Framework-MobSF/assets/150332295/a8c9630e-3d12-441a-816c-8f5e427a5194"> It will be safer to use allow_redirects=False. ### Impact The attacker can cause the server to make a connection to internal-only services within the organization's infrastructure.
Affected packages (2)
- PyPI/mobsffrom 0, < 3.9.7
- PyPI/mobsffrom 0, < f22c584aa7d43527970c9da61eb678953cfc0a8e | from 0, < 3.9.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-54000
- PATCHhttps://github.com/MobSF/Mobile-Security-Framework-MobSF
- WEBhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/f22c584aa7d43527970c9da61eb678953cfc0a8e
- WEBhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-m435-9v6r-v5f6
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/mobsf/PYSEC-2024-256.yaml