Server-Side Request Forgery in Cockpit Product by Aheinze
CVE-2017-14611

9.1CRITICAL

Key Information:

Vendor: Agentejo
Status: Cockpit
Vendor: CVE Published:; 10 April 2018

What is CVE-2017-14611?

A Server-Side Request Forgery (SSRF) vulnerability exists in Cockpit 0.13.0 that enables remote attackers to exploit the system by reading arbitrary files or directing TCP traffic to internal hosts. This exploit leverages the insecure handling of the 'url' parameter, which has been associated with the now-discontinued aheinze/fetch_url_contents component. Attackers can use this vulnerability to access potentially sensitive information or disrupt services within the intranet.

References

http://seclists.org/fulldisclosure/2018/Apr/15

mailing-listx_refsource_FULLDISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2018
Vulnerability Reserved
Sep 20, 2017

CVE-2017-14611 Data

JSON

Agentejo

What is CVE-2017-14611?

References

CVSS V3.1

Timeline