CVE-2018-9302
published 2018-05-02CVE-2018-9302: SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic…
PriorityP265critical9.1CVSS 3.0
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
10.85%
95.3th percentile
SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2017-14611, which was about version 0.13.0, which (surprisingly) is an earlier version than 0.4.4.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getcockpit | cockpit | 0.4.4 – 0.5.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to /assets/lib/fuc.js.php containing a 'url' parameter — this is the SSRF trigger endpoint for CVE-2018-9302. ↗
- →Alert on requests to /assets/lib/fuc.js.php where the 'url' parameter contains internal/RFC-1918 IP addresses or non-HTTP(S) schemes (gopher, dict, ldap, imap, pop3, smtp, telnet, tftp, ftp) indicating SSRF/protocol abuse. ↗
- →The exploit relies on open redirect via an attacker-controlled redirect.php to bypass URL validation; watch for outbound requests from the web server that were initiated by /assets/lib/fuc.js.php following a redirect chain to internal hosts. ↗
- →CURLOPT_FOLLOWLOCATION being set to 1 (default) enables redirect-based SSRF; detection should flag any server-side curl activity originating from fuc.js.php that reaches RFC-1918 address space. ↗
- ·The SSRF is exploitable without curl if PHP's allow_url_fopen is enabled (which is the default), limiting protocol support to http, https, and ftp in that case. ↗
- ·When curl IS available, the attacker can leverage additional protocols (gopher, tftp, dict, ldap, imap, pop3, smtp, telnet) significantly expanding the attack surface beyond simple HTTP SSRF. ↗
- ·This CVE affects Cockpit versions 0.4.4 through 0.5.5 and is an incomplete fix of CVE-2017-14611 (which affected version 0.13.0 — a numerically earlier but chronologically older release). ↗
CVSS provenance
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-05-02
Published