CVE-2024-22873

HIGH

Tencent Blueking CMDB 3.2.2-3.9.47 - Server-Side Request Forgery via Event Subscription Function

Title source: llm

Description

Tencent Blueking CMDB v3.2.x to v3.9.x was discovered to contain a Server-Side Request Forgery (SSRF) via the event subscription function (/service/subscription.go). This vulnerability allows attackers to access internal requests via a crafted POST request.

References (4)

Core 4

Core References

Product

http://blueking.com

Product

http://tencent.com

Third Party Advisory

https://gist.github.com/exp1orer/0f190c6a64b668a9b1c4c47789affa09

Exploit

https://sphenoid-enquiry-9be.notion.site/BK-CMDB-SSRF-ba21e94f4976460188fa52d26c15a6ae?pvs=4

Scores

CVSS v3 8.1

EPSS 0.0067

EPSS Percentile 47.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-918

Status published

Products (1)

tencent/blueking_configuration_management_database 3.2.2 - 3.9.47

Published Feb 26, 2024

Tracked Since Feb 18, 2026