CVE-2019-8982

Name of the Vulnerable Software and Affected Versions WaveMaker Studio version 6.6

Description The issue in WaveMaker Studio arises from the mishandling of the studioService.download method, specifically with the inUrl parameter. This mishandling leads to the disclosure of local files and enables Server-Side Request Forgery (SSRF) attacks. SSRF occurs when an attacker can manipulate a server into making requests to internal or external resources, potentially leading to unauthorized access or information disclosure.

Recommendations For WaveMaker Studio version 6.6, as a temporary workaround, consider restricting access to the studioService.download method, especially for the inUrl parameter, until a patch is available. Additionally, avoid using the inUrl parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.