CVE-2021-22969

MEDIUM

Concrete CMS < 8.5.7 - Server-Side Request Forgery via DNS Rebind Attack

Title source: llm

Description

Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS.Discoverer: Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )The Concrete CMS team gave this a CVSS 3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N . Please note that Cloud IAAS provider mis-configurations are not Concrete CMS vulnerabilities. A mitigation for this vulnerability is to make sure that the IMDS configurations are according to a cloud provider's best practices.This fix is also in Concrete version 9.0.0

References (2)

Core 2

Core References

Permissions Required x_refsource_misc

https://hackerone.com/reports/1369312

Release Notes, Vendor Advisory x_refsource_misc

https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes

Scores

CVSS v3 5.3

EPSS 0.0083

EPSS Percentile 53.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-918

Status published

Products (2)

concrete5/core 0 - 8.5.7Packagist

concretecms/concrete_cms < 8.5.7

Published Nov 19, 2021

Tracked Since Feb 18, 2026