Server-Side Request Forgery in Pydio by Pydio SA
CVE-2018-1999017

4.9MEDIUM

Key Information:

Vendor: Pydio
Status: Pydio
Vendor: CVE Published:; 3 October 2022

What is CVE-2018-1999017?

Pydio versions 8.2.0 and earlier contain a Server-Side Request Forgery (SSRF) vulnerability that allows an authenticated admin user to craft requests to arbitrary URLs. This is possible through the Upgrade Engine feature, where an attacker with administrative access can enter a malicious URL. Upon triggering the 'Check Now' action or refreshing the upgrade page, the server could forward these requests, leading to unauthorized access and data exposure. The vulnerability has been addressed in version 8.2.1.

References

https://www.mike-gualtieri.com/files/Pydio-8-Vulnerabilit...

x_refsource_MISC

https://pydio.com/en/community/releases/pydio-core/pydio-...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 3, 2022
Vulnerability Reserved
Jul 17, 2018

CVE-2018-1999017 Data

JSON