CVE-2024-41668

Name of the Vulnerable Software and Affected Versions cBioPortal versions prior to 6.0.12

Description The cBioPortal for Cancer Genomics provides visualization, analysis, and download of large-scale cancer genomics data sets. When running a publicly exposed proxy endpoint without authentication, cBioPortal could allow someone to perform a Server Side Request Forgery (SSRF) attack. Logged in users could do the same on private instances.

Recommendations For versions prior to 6.0.12, update to version 6.0.12 to resolve the issue. As a temporary workaround, consider disabling the "/proxy" endpoint entirely via, for example, nginx.