CVE-2020-25787
published 2020-09-19CVE-2020-25787: An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. It does not validate all URLs before requesting them.
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
18.42%
96.9th percentile
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. It does not validate all URLs before requesting them.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | tt-rss | < tt-rss 21~git20210204.b4cbc79+dfsg-1 (bookworm) | tt-rss 21~git20210204.b4cbc79+dfsg-1 (bookworm) |
| tt-rss | tiny_tiny_rss | < 2020-09-16 | 2020-09-16 |
Detection & IOCsextracted from sources · hover to see the quote
urlpublic.php?op=pluginhandler&plugin=af_proxy_http&pmethod=imgproxy&url=gopher://localhost:9000/_<FCGI_PAYLOAD>&text↗
- →Monitor HTTP requests to tt-rss containing the imgproxy plugin endpoint with a gopher:// scheme URL as the `url` parameter — this is the SSRF-to-FastCGI RCE attack vector. ↗
- →Alert on creation of `backdoor.php` under the tt-rss web root (e.g. /var/www/html/tt-rss/backdoor.php), which is the dropped web shell from successful exploitation. ↗
- →Detect outbound gopher:// scheme requests originating from the tt-rss application server, particularly targeting localhost port 9000 (PHP-FPM FastCGI), as this indicates SSRF abuse. ↗
- →Look for FastCGI PHP_VALUE injection strings such as `allow_url_include = On` and `auto_prepend_file = php://input` in network traffic to port 9000, indicating FastCGI parameter manipulation for RCE. ↗
- →Inspect inbound RSS/Atom feed XML files for embedded gopher:// URLs in item link or enclosure fields — the exploit delivers the attack vector via a crafted feed file named `malicious_RCE_feed.xml`. ↗
- →Flag any tt-rss request where the `url` parameter value uses a non-HTTP/HTTPS scheme (e.g. gopher://, ftp://, dict://), as the vulnerability is that tt-rss does not validate all URLs before requesting them. ↗
- ·The exploit specifically targets the default Docker installation of tt-rss, where the web root is /var/www/html/tt-rss/ and PHP-FPM listens on localhost:9000. Deployments with non-standard paths or PHP-FPM sockets may require adjusted detection paths. ↗
- ·The fix was introduced in commit c3d14e1fa54c7dade7b1b7955575e2991396d7ef; all tt-rss versions before 2020-09-16 are vulnerable. Debian resolved it in package version 21~git20210204.b4cbc79+dfsg-1. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2020-25787: tt-rss - An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. It does...
vendor_debian·2020·CVSS 9.8
CVE-2020-25787 [CRITICAL] CVE-2020-25787: tt-rss - An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. It does...
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. It does not validate all URLs before requesting them.
Scope: local
bookworm: resolved (fixed in 21~git20210204.b4cbc79+dfsg-1)
bullseye: resolved (fixed in 21~git20210204.b4cbc79+dfsg-1)
sid: resolved (fixed in 21~git20210204.b4cbc79+dfsg-1)
GHSA
GHSA-8966-pp95-9j6j: An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16
ghsa_unreviewed·2022-05-24
CVE-2020-25787 [CRITICAL] CWE-20 GHSA-8966-pp95-9j6j: An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. It does not validate all URLs before requesting them.
OSV
CVE-2020-25787: An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16
osv·2020-09-19·CVSS 9.8
CVE-2020-25787 [CRITICAL] CVE-2020-25787: An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. It does not validate all URLs before requesting them.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161606/TinyTinyRSS-Remote-Code-Execution.htmlhttps://blog.neagaru.com/p/exploiting-tiny-tiny-rss-2020https://community.tt-rss.org/t/heads-up-several-vulnerabilities-fixed/3799https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7efhttp://packetstormsecurity.com/files/161606/TinyTinyRSS-Remote-Code-Execution.htmlhttps://community.tt-rss.org/t/heads-up-several-vulnerabilities-fixed/3799https://git.tt-rss.org/fox/tt-rss/commit/c3d14e1fa54c7dade7b1b7955575e2991396d7ef
2020-09-19
Published