CVE-2021-22958
published 2021-10-07CVE-2021-22958: A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in…
PriorityP348critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.19%
64.0th percentile
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in place for localhost allowing interaction with local services. Impact can vary depending on services exposed.CVSSv2.0 AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| concrete5 | concrete5 | >= 0 < 8.5.5 | 8.5.5 |
| concretecms | concrete_cms | < 8.5.5 | 8.5.5 |
| https | github.com_concrete5_concrete5 | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Server-Side Request Forgery vulnerability in concrete5
osv·2021-10-12
CVE-2021-22958 [HIGH] Server-Side Request Forgery vulnerability in concrete5
Server-Side Request Forgery vulnerability in concrete5
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in place for localhost allowing interaction with local services. Impact can vary depending on services exposed.
GHSA
Server-Side Request Forgery vulnerability in concrete5
ghsa·2021-10-12
CVE-2021-22958 [HIGH] CWE-918 Server-Side Request Forgery vulnerability in concrete5
Server-Side Request Forgery vulnerability in concrete5
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in place for localhost allowing interaction with local services. Impact can vary depending on services exposed.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-10-07
Published