Vulnerabilities > CVE-2019-19999 - Server-Side Request Forgery (SSRF) vulnerability in Halo

CVSS 7.2 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

halo

CWE-918

NVD

Published: 2019-12-26

Updated: 2020-01-08

Summary

Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) because TemplateClassResolver.SAFER_RESOLVER is not used in the FreeMarker configuration.

Vulnerable Configurations

Part	Description	Count
Application	Halo Halo Halo 1.2.0 Halo Halo 1.1.3 Halo Halo - Halo Halo 0.0.1 Halo Halo 0.0.2 Halo Halo 0.0.3 Halo Halo 0.0.4 Halo Halo 0.0.5 Halo Halo 0.0.6 Halo Halo 0.0.7 Halo Halo 0.0.8 Halo Halo 0.0.9 Halo Halo 0.1 Halo Halo 0.1.1 Halo Halo 0.2.0 Halo Halo 0.2.1 Halo Halo 0.2.2 Halo Halo 0.3.0 Halo Halo 0.4.0 Halo Halo 0.4.1 Halo Halo 0.4.2 Halo Halo 0.4.3 Halo Halo 0.4.4 Halo Halo 1.0.0 Halo Halo 1.0.1 Halo Halo 1.0.2 Halo Halo 1.0.3 Halo Halo 1.1.0 Halo Halo 1.1.1	42

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References