PT-2022-20605 · Databasir · Databasir
Stefanberg96
+1
·
Published
2022-09-02
·
Updated
2022-09-08
·
CVE-2022-31196
CVSS v3.1
7.6
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
Databasir versions 1.06 and earlier
Description
The issue allows attackers to perform Server-Side Request Forgery (SSRF) by sending a single HTTP POST request to create a databaseType. This is achieved by supplying a
jdbcDriverFileUrl that returns a non 200 response code. As a result, the URL is executed, and the response is logged, potentially allowing attackers to obtain the real IP address and scan Intranet information.Recommendations
For Databasir versions 1.06 and earlier, update to version 1.0.7 to resolve the issue.
Exploit
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Databasir