cbcvebase.
CVE-2022-2756
published 2022-08-10

CVE-2022-2756: Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1.

PriorityP342medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
2.30%
81.1th percentile
Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1.

Affected

9 ranges
VendorProductVersion rangeFixed in
kareaditakareadita_kavita>= unspecified < 0.5.4.10.5.4.1
kavitareaderkavita< 0.5.4.10.5.4.1
msrcazl3_php_8.3.12-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_php_8.1.22-2_on_cbl_mariner_2.0
msrccbl2_php_8.1.28-1_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/account/login
urlPOST /api/upload/upload-by-url
urlGET /api/image/cover-upload?filename=coverupload_{{filename}}.png
path/api/upload/upload-by-url
path/api/image/cover-upload
  • SSRF trigger: POST to /api/upload/upload-by-url with a JSON body containing an attacker-controlled URL (e.g. OOB callback URL ending in #.png to bypass image extension checks). Requires a valid Bearer token obtained from /api/account/login.
  • SSRF confirmation: After upload-by-url, retrieve the stored file via GET /api/image/cover-upload?filename=coverupload_<uuid>.png and check for OOB interaction response body containing 'Interactsh Server' with Content-Type image/png and HTTP 200.
  • Authentication flow: Extract JWT Bearer token from login response using regex '"token":"(.*?)"' and reuse in subsequent SSRF requests.
  • Shodan/FOFA fingerprinting for exposed Kavita instances: search for title:"kavita" or http.title:"kavita".
  • The SSRF-triggering filename pattern in the cover-upload endpoint follows the format 'coverupload_<uuid>.png'; extract the UUID segment from the upload-by-url response using regex 'coverupload.(.*?).png'.
  • ·Exploitation requires valid credentials (authenticated user); the SSRF is not unauthenticated — a Bearer token must first be obtained via /api/account/login.
  • ·The SSRF payload uses a fragment trick (#.png) to satisfy the application's image extension check while pointing to an arbitrary OOB callback host.
  • ·Vulnerability is fixed in Kavita version 0.5.4.1; patch commit is 9c31f7e7c81b919923cb2e3857439ec0d16243e4.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
osv5.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.