CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,758 vulnerabilities with CWE-918
CVE-2021-40109 MEDIUM
Concrete CMS < 8.5.6 - Server-Side Request Forgery via File Upload URL Redirect
CVSS 6.4
CVE-2021-41385 MEDIUM
Securonix SNYPR 6.3.1 - Authenticated SSRF in Third Party Intelligence Connector
CVSS 6.5
CVE-2021-41587 HIGH
Gradle Enterprise >=2017.6 <2021.1.3 - Server-Side Request Forgery
CVSS 7.5
CVE-2021-41586 HIGH
Gradle Enterprise 2020.4-2021.1.2 - Server-Side Request Forgery
CVSS 7.5
CVE-2021-21993 MEDIUM
VMware Cloud Foundation 3.0-5.0 and vCenter Server - Server-Side Request Forgery in Content Library
CVSS 6.5
CVE-2021-39339 MEDIUM
Telefication < 1.8.0 - Server-Side Request Forgery via bypass.php
CVSS 5.8
CVE-2021-41084 HIGH
http4s < 0.21.29 - HTTP Response Splitting via Header and URI Field Injection
CVSS 8.7
CVE-2021-37419 HIGH
ManageEngine ADSelfService Plus < 6112 - Server-Side Request Forgery
CVSS 7.5
CVE-2021-40438 CRITICAL KEV
Apache HTTP Server <2.4.48 - SSRF
CVSS 9.0
CVE-2021-33705 HIGH
SAP NetWeaver Portal 7.10-7.50 - Unauthenticated Server-Side Request Forgery via Iviews Editor
CVSS 8.1
CVE-2021-33690 CRITICAL
SAP NetWeaver Development Infrastructure Component Build Service 7.11-7.50 - Server-Side Request Forgery
CVSS 9.9
CVE-2021-23029 HIGH
F5 BIG-IP Advanced WAF and ASM 16.0.0-16.0.1.1 - Authenticated Server-Side Request Forgery
CVSS 8.8
CVE-2021-28910 HIGH
BAB TECHNOLOGIE eibPort V3 < 3.9.1 - Unauthenticated Server-Side Request Forgery
CVSS 7.5
CVE-2021-40537 LOW
owncloud/user_ldap < 0.15.4 - Authenticated Server-Side Request Forgery in Settings
CVSS 2.7
CVE-2021-39497 CRITICAL
EyouCMS 1.5.4 - Blind Server-Side Request Forgery via saveRemote Function
CVSS 9.8
CVE-2021-39195 HIGH
Misskey < 12.90.0 - Server-Side Request Forgery via Upload from URL
CVSS 7.7
CVE-2021-3758 MEDIUM
BookStack 21.08 - Server-Side Request Forgery
CVSS 6.5
CVE-2021-36043 HIGH
Magento Commerce <2.4.2-2.3.7 - Blind SSRF
CVSS 8.0
CVE-2021-22027 HIGH
VMware vRealize Operations Manager 8.0.0-8.4.x - Unauthenticated Server-Side Request Forgery via API Endpoint
CVSS 7.5
CVE-2021-22026 HIGH
VMware vRealize Operations Manager 8.0.0-8.4.x - Unauthenticated Server-Side Request Forgery via API Endpoint
CVSS 7.5
CVE-2021-28627 MEDIUM
Adobe Experience Manager < 6.5.8.0 - Authenticated Server-Side Request Forgery
CVSS 5.4
CVE-2021-39152 HIGH
XStream < 1.4.18 - Remote Code Execution via Deserialization
CVSS 8.5
CVE-2021-39150 HIGH
Oracle Utilities Framework < 1.4.18 - SSRF
CVSS 8.5
CVE-2021-22255 HIGH
baserow 0.6.0-1.1.0 - Authenticated Server-Side Request Forgery via URL File Upload
CVSS 7.7
CVE-2021-37711 HIGH
shopware < 6.4.3.1 - Authenticated Server-Side Request Forgery via File Upload URL
CVSS 8.8
Details
Vulnerabilities 2,758
Links
MITRE CWE Entry Search this CWE With Exploits