PT-2019-5531 · Ignite Realtime · Openfire
Alexandr Shvetsov
·
Published
2019-10-03
·
Updated
2024-07-12
·
CVE-2019-18394
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Openfire versions through 4.4.2
Description
A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java allows attackers to send arbitrary HTTP GET requests. The issue is related to insufficient validation of incoming requests, which can be exploited by a remote attacker.
Recommendations
For versions through 4.4.2, update to version 4.5.0-beta or later to resolve the issue. As a temporary workaround, consider restricting access to the FaviconServlet.java function to minimize the risk of exploitation.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openfire