Vulnerabilities > CVE-2021-25939 - Server-Side Request Forgery (SSRF) vulnerability in Arangodb
Attack vector
NETWORK Attack complexity
LOW Privileges required
HIGH Confidentiality impact
NONE Integrity impact
LOW Availability impact
NONE Summary
In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/arangodb/arangodb/commit/d7b35a6884c6b2802d34d79fb2a79fb2c9ec2175
- https://github.com/arangodb/arangodb/commit/d7b35a6884c6b2802d34d79fb2a79fb2c9ec2175
- https://github.com/arangodb/arangodb/commit/d9b7f019d2435f107b19a59190bf9cc27d5f34dd
- https://github.com/arangodb/arangodb/commit/d9b7f019d2435f107b19a59190bf9cc27d5f34dd
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25939
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25939