CVE-2020-28168

CWE-918 — Server-Side Request Forgery (SSRF)7 documents6 sources

Severity

5.9MEDIUM

EPSS

0.4%

top 36.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Siemens Sinec INS Axios Axios

Timeline

PublishedNov 6

Latest updateJan 4

Description

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

▶npmaxios< 0.21.1

▶Debiannode-axios< 0.21.1+dfsg-1+3

▶NVDaxios/axios0.19.0 — 0.21.0

▶NVDsiemens/sinec_ins< 1.0+1

🔴Vulnerability Details

OSV

Axios vulnerable to Server-Side Request Forgery↗2021-01-04

▶

GHSA

Axios vulnerable to Server-Side Request Forgery↗2021-01-04

▶

CVEList

CVE-2020-28168: Axios NPM package 0↗2020-11-06

▶

OSV

CVE-2020-28168: Axios NPM package 0↗2020-11-06

▶

📋Vendor Advisories

Red Hat

nodejs-axios: allows an attacker to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address↗2020-10-29

▶

Debian

CVE-2020-28168: node-axios - Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerabi...↗2020

▶