CVE-2021-25939

Published: Feb 9, 2022

Modified: Sep 16, 2024

PUBLISHED

CVSS v3.1

2.7

LOW

Description

In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.

Vendor	Product	Versions
arangodb	arangodb	affected `v3.7.0 - < unspecified` affected `unspecified - <= v3.9.0-alpha.1`

Weaknesses (CWE)

CWE-918

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25939

x_refsource_MISC

https://github.com/arangodb/arangodb/commit/d7b35a6884c6b2802d34d79fb2a79fb2c9ec2175

x_refsource_MISC

https://github.com/arangodb/arangodb/commit/d9b7f019d2435f107b19a59190bf9cc27d5f34dd

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-25939

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References