Server-Side Request Forgery in Mobile Security Framework by MobSF
CVE-2024-54000

Currently unrated

Key Information:

Vendor: MobSF
Status: Mobile Security Framework
Vendor: CVE Published:; 3 December 2024

What is CVE-2024-54000?

The Mobile Security Framework (MobSF), a robust solution for pen-testing and malware analysis, contains a server-side request forgery vulnerability in versions prior to 3.9.7. This vulnerability arises from the improper handling of HTTP redirects in the _check_url() method, where the request is set to allow redirection. A request to '.well-known/assetlinks.json' that returns a 302 redirect can be exploited, allowing an attacker to perform unauthorized actions on the server. This vulnerability circumvents security measures implemented for previous understanding and has since been patched in version 3.9.7. It's essential for users to upgrade to the latest version to safeguard their applications against this risk.

References

https://github.com/MobSF/Mobile-Security-Framework-MobSF/...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 3, 2024