FOG SSRF via unauthenticated endpoint(s)
CVE-2023-46236

8.6HIGH

Key Information:

Vendor: Fogproject
Status: Fogproject
Vendor: CVE Published:; 31 October 2023

What is CVE-2023-46236?

The FOG Imaging Suite, an open-source imaging and management tool, is prone to a server-side request forgery vulnerability that permits an unauthenticated user to initiate GET requests to arbitrary endpoints. This unintended access can expose sensitive files to the Apache user group, with potential ramifications that depend on the server's configuration. The issue has been resolved in version 1.5.10, highlighting the importance of keeping your software updated to safeguard against such vulnerabilities.

Affected Version(s)

fogproject < 1.5.10

References

https://github.com/FOGProject/fogproject/security/advisor...

x_refsource_CONFIRM

https://github.com/FOGProject/fogproject/commit/9125f35ff...

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 31, 2023
Vulnerability Reserved
Oct 19, 2023

Fogproject

What is CVE-2023-46236?

Affected Version(s)

References

CVSS V3.1

Timeline