CWE-918

Server-Side Request Forgery (SSRF)

Parent: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

2,758 vulnerabilities with CWE-918
CVE-2021-22696 HIGH
Apache CXF < 3.3.10 and 3.4.0-3.4.3 - Server-Side Request Forgery via OAuth 2 request_uri Parameter
CVSS 7.5
CVE-2021-26072 MEDIUM
Confluence Server and Data Center < 5.8.6 - Server-Side Request Forgery via WidgetConnector
CVSS 4.3
CVE-2021-21975 HIGH KEV
VMware vRealize Operations Manager < 8.4 - Server-Side Request Forgery via API
CVSS 7.5
CVE-2021-22986 CRITICAL KEV
F5 iControl REST Unauthenticated SSRF Token Generation RCE
CVSS 9.8
CVE-2021-1627 CRITICAL
Mule 3.8.0-4.2.1 - Server-Side Request Forgery
CVSS 9.8
CVE-2021-26715 CRITICAL
MITREid Connect < 1.3.3 - Unauthenticated Server-Side Request Forgery via Dynamic Client Registration Logo URI
CVSS 9.1
CVE-2021-22179 MEDIUM
GitLab 12.2.0-13.6.5 - Server-Side Request Forgery via Outbound Requests
CVSS 5.4
CVE-2021-22178 MEDIUM
GitLab 13.2.0-13.6.6 - Server-Side Request Forgery via Prometheus Integration
CVSS 5.0
CVE-2021-21349 MEDIUM
Netapp Oncommand Insight < 5.15.14 - SSRF
CVSS 6.1
CVE-2021-21342 MEDIUM
Netapp Oncommand Insight < 5.15.14 - SSRF
CVSS 5.3
CVE-2021-26855 CRITICAL KEV
Microsoft Exchange ProxyLogon RCE
CVSS 9.1
CVE-2021-23345 MEDIUM
github.com/thecodingmachine/gotenberg - SSRF
CVSS 5.3
CVE-2021-27670 CRITICAL
Appspace 6.2.4 - Server-Side Request Forgery via API Proxy URL Parameter
CVSS 9.8
CVE-2021-21973 MEDIUM KEV
VMware vCenter Server and Cloud Foundation - Server-Side Request Forgery via vSphere Client Plugin
CVSS 5.3
CVE-2021-27214 MEDIUM
ManageEngine ADSelfService Plus <= 6013 - Unauthenticated Server-Side Request Forgery via ProductConfig Servlet
CVSS 6.1
CVE-2021-3204 MEDIUM
Webware Webdesktop 5.1.15 - Server-Side Request Forgery in Document Conversion Component
CVSS 6.5
CVE-2021-27329 CRITICAL
Friendica 2021.01 - SSRF
CVSS 10.0
CVE-2021-27103 CRITICAL KEV
Accellion FTA < 9_12_416 - Server-Side Request Forgery via wmProgressstat.html
CVSS 9.8
CVE-2021-21311 HIGH KEV
Adminer 4.0.0-4.7.8 - Server-Side Request Forgery
CVSS 7.2
CVE-2021-21288 MEDIUM
CarrierWave < 1.3.2 - Server-Side Request Forgery via Download Feature
CVSS 4.3
CVE-2021-25241 MEDIUM
Trend Micro Apex One & Worry-Free Business Security 10.0 SP1 - SSRF
CVSS 5.3
CVE-2021-25236 MEDIUM
Trend Micro OfficeScan XG SP1 and Worry-Free Business Security 10.0 SP1 - Unauthenticated Server-Side Request Forgery
CVSS 5.3
CVE-2021-21287 HIGH
MinIO <RELEASE.2021-01-30T00-20-58Z - SSRF
CVSS 7.7
CVE-2021-1272 HIGH
Cisco Data Center Network Manager < 11.5(1) - Unauthenticated Server-Side Request Forgery via HTTP Request Parameter
CVSS 8.8
CVE-2021-21009 HIGH
Adobe Campaign Classic Gold Standard <20.3.1 - SSRF
CVSS 8.6
Details
Vulnerabilities 2,758
Links
MITRE CWE Entry Search this CWE With Exploits