CVE-2022-23071

Recipes - SSRF on Import

EPSS 0.9%CWE-918

Vexday Risk Score

3Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 0.9%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

19 Jun 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

In Recipes, versions 0.9.1 through 1.2.5 are vulnerable to Server Side Request Forgery (SSRF), in the “Import Recipe” functionality. When an attacker enters the localhost URL, a low privileged attacker can access/read the internal file system to access sensitive information.

Affected products

recipes · recipes

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/TandoorRecipes/recipes/commit/d48fe26a3529cc1ee903ffb2758dfd8f7efaba8c https://www.mend.io/vulnerability-database/CVE-2022-23071