CVE-2023-24515

Published: Aug 22, 2023

Modified: Oct 3, 2024

PUBLISHED

CVSS v3.1

5.2

MEDIUM

Description

Server-Side Request Forgery (SSRF) vulnerability in API checker of Pandora FMS. Application does not have a check on the URL scheme used while retrieving API URL. Rather than validating the http/https scheme, the application allows other scheme such as file, which could allow a malicious user to fetch internal file content. This issue affects Pandora FMS v767 version and prior versions on all platforms.

Vendor	Product	Versions
Artica PFMS	Pandora FMS	affected `v0 - <= v767`

Weaknesses (CWE)

CWE-918

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

References

https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/

vendor-advisory

https://gist.github.com/damodarnaik/9cc76c6b320510c34a0a668bd7439f7b

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-24515

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References