PT-2018-5687 · Red Hat · Cockpit
Bo Wang
+2
·
Published
2018-04-10
·
Updated
2022-08-18
·
CVE-2017-14611
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
Cockpit version 0.13.0
Description:
The issue allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts. This is related to the use of the discontinued aheinze/fetch url contents component, specifically via the
url parameter.Recommendations:
For Cockpit version 0.13.0, consider restricting access to the affected component until a patch is available. Avoid using the
url parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cockpit