Server-Side Request Forgery Vulnerability in MobSF
CVE-2024-29190

7.5HIGH

Key Information:

Vendor: Mobsf
Status: Mobile-security-framework-mobsf
Vendor: CVE Published:; 22 March 2024

What is CVE-2024-29190?

The Mobile Security Framework (MobSF) is a widely used pen-testing and security assessment tool. In versions up to and including 3.9.5 Beta, MobSF lacks proper input validation for hostnames defined in the android:host attribute. This oversight allows for the potential exploitation of server-side request forgery, enabling attackers to send requests to internal-only services within an organization's infrastructure. Consequently, this vulnerability could lead to unauthorized access to sensitive internal resources. A fix for this vulnerability has been implemented, addressing the input validation issues that trigger the vulnerability. More details can be found in the relevant advisories and commit logs.

Affected Version(s)

Mobile-Security-Framework-MobSF <= 3.9.5 Beta

References

https://github.com/MobSF/Mobile-Security-Framework-MobSF/...

x_refsource_CONFIRM

https://github.com/MobSF/Mobile-Security-Framework-MobSF/...

x_refsource_MISC

https://drive.google.com/file/d/1nbKMd2sKosbJef5Mh4DxjcHc...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 22, 2024
Vulnerability Reserved
Mar 18, 2024

Mobsf

What is CVE-2024-29190?

Affected Version(s)

References

CVSS V3.1

Timeline