CVE-2021-22969

Name of the Vulnerable Software and Affected Versions Concrete CMS versions below 8.5.7 Concrete CMS version 9.0.0 is not affected as it includes the fix.

Description The issue concerns a SSRF mitigation bypass using a DNS Rebind attack, allowing an attacker to fetch cloud IAAS IAM keys. To address this, Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading, rather than relying on DNS. A mitigation for this issue is to ensure IMDS configurations follow a cloud provider's best practices.

Recommendations For Concrete CMS versions below 8.5.7, update to version 8.5.7 or later to fix the issue. For users who cannot update immediately, consider implementing the mitigation by ensuring IMDS configurations are according to a cloud provider's best practices. As a temporary workaround, consider restricting downloads from the local network and specifying validated IPs when downloading to minimize the risk of exploitation.