CVE-2023-30019
MEDIUM5.3EPSS 70.6%imgproxy is vulnerable to Server-Side Request Forgery
發布日:2023/5/8修改日:2024/8/20
描述
imgproxy prior to version 3.15.0 is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of sanitization of the imageURL parameter.
受影響套件(4)
- Go/github.com/imgproxy/imgproxyfrom 0
- Go/github.com/imgproxy/imgproxy/v2from 0
- Go/github.com/imgproxy/imgproxy/v3from 0, < 3.15.0
- Go/github.com/imgproxy/imgproxy/v3from 0, < 3.15.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
參考連結(6)
- ADVISORYhttps://github.com/advisories/GHSA-9x7h-ggc3-xg47
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-30019
- PATCHhttps://github.com/imgproxy/imgproxy
- WEBhttps://breakandpray.com/cve-2023-30019-ssrf-in-imgproxy
- WEBhttps://github.com/imgproxy/imgproxy/blob/ee9e8f0cb101ec22318caffd552a23cc0548d5ce/imagedata/download.go#L142
- WEBhttps://github.com/imgproxy/imgproxy/commit/1a9768a2c682e88820064aa3d9a05ea234ff3cc4