CVE-2023-46725

FoodCoopShop is open source software for food coops and local shops. Versions starting with 3.2.0 prior to 3.6.1 are vulnerable to server-side request forgery. In the Network module, a manufacturer account can use the `/api/updateProducts.json` endpoint to make the server send a request to an arbitrary host. This means that the server can be used as a proxy into the internal network where the server is. Furthermore, the checks on a valid image are not adequate, leading to a time of check time of use issue. For example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file is at the redirect destination, making this a full SSRF. Version 3.6.1 fixes this vulnerability.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808	Patch
https://github.com/foodcoopshop/foodcoopshop/pull/972	Patch
https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7	Vendor Advisory
https://pastebin.com/8K5Brwbq	Not Applicable

Configurations

Configuration 1 (hide)

cpe:2.3:a:foodcoopshop:foodcoopshop:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-11-02 15:15

Updated : 2023-11-09 21:16

NVD link : CVE-2023-46725

Mitre link : CVE-2023-46725

CVE.ORG link : CVE-2023-46725

JSON object : View

Products Affected

foodcoopshop

foodcoopshop

CWE

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2023-46725", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2023-11-02T15:15:08.847", "references": [{"url": "https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/foodcoopshop/foodcoopshop/pull/972", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://pastebin.com/8K5Brwbq", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-367"}, {"lang": "en", "value": "CWE-918"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "FoodCoopShop is open source software for food coops and local shops. Versions starting with 3.2.0 prior to 3.6.1 are vulnerable to server-side request forgery. In the Network module, a manufacturer account can use the `/api/updateProducts.json` endpoint to make the server send a request to an arbitrary host. This means that the server can be used as a proxy into the internal network where the server is. Furthermore, the checks on a valid image are not adequate, leading to a time of check time of use issue. For example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file is at the redirect destination, making this a full SSRF. Version 3.6.1 fixes this vulnerability."}, {"lang": "es", "value": "FoodCoopShop es un software de c\u00f3digo abierto para cooperativas de alimentos y tiendas locales. Las versiones que comienzan con 3.2.0 anteriores a 3.6.1 son vulnerables a server-side request forgery. En el m\u00f3dulo de Network, una cuenta de fabricante puede usar el endpoint `/api/updateProducts.json` para hacer que el servidor env\u00ede una solicitud a un host arbitrario. Esto significa que el servidor se puede utilizar como proxy en la red interna donde se encuentra el servidor. Adem\u00e1s, las comprobaciones de una imagen v\u00e1lida no son adecuadas, lo que genera un problema de tiempo de verificaci\u00f3n de uso. Por ejemplo, al usar un servidor personalizado que devuelve 200 en solicitudes HEAD, luego devuelve una imagen v\u00e1lida en la primera solicitud GET y luego una redirecci\u00f3n 302 al destino final en la segunda solicitud GET, el servidor copiar\u00e1 cualquier archivo que est\u00e9 en el destino de la redirecci\u00f3n, haciendo Esta es una SSRF completa. La versi\u00f3n 3.6.1 corrige esta vulnerabilidad."}], "lastModified": "2023-11-09T21:16:04.827", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:foodcoopshop:foodcoopshop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F749AE9-CD3D-408F-ADA7-47D384325618", "versionEndIncluding": "3.6.0", "versionStartIncluding": "3.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

7.5 /10