CVE-2022-2756
published 2022-08-10CVE-2022-2756: Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1.
PriorityP342medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
2.30%
81.1th percentile
Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kareadita | kareadita_kavita | >= unspecified < 0.5.4.1 | 0.5.4.1 |
| kavitareader | kavita | < 0.5.4.1 | 0.5.4.1 |
| msrc | azl3_php_8.3.12-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_php_8.1.22-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_php_8.1.28-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /api/account/login
urlPOST /api/upload/upload-by-url
urlGET /api/image/cover-upload?filename=coverupload_{{filename}}.png
path/api/upload/upload-by-url
path/api/image/cover-upload
- →SSRF trigger: POST to /api/upload/upload-by-url with a JSON body containing an attacker-controlled URL (e.g. OOB callback URL ending in #.png to bypass image extension checks). Requires a valid Bearer token obtained from /api/account/login.
- →SSRF confirmation: After upload-by-url, retrieve the stored file via GET /api/image/cover-upload?filename=coverupload_<uuid>.png and check for OOB interaction response body containing 'Interactsh Server' with Content-Type image/png and HTTP 200.
- →Authentication flow: Extract JWT Bearer token from login response using regex '"token":"(.*?)"' and reuse in subsequent SSRF requests.
- →Shodan/FOFA fingerprinting for exposed Kavita instances: search for title:"kavita" or http.title:"kavita".
- →The SSRF-triggering filename pattern in the cover-upload endpoint follows the format 'coverupload_<uuid>.png'; extract the UUID segment from the upload-by-url response using regex 'coverupload.(.*?).png'.
- ·Exploitation requires valid credentials (authenticated user); the SSRF is not unauthenticated — a Bearer token must first be obtained via /api/account/login.
- ·The SSRF payload uses a fragment trick (#.png) to satisfy the application's image extension check while pointing to an arbitrary OOB callback host.
- ·Vulnerability is fixed in Kavita version 0.5.4.1; patch commit is 9c31f7e7c81b919923cb2e3857439ec0d16243e4.
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
osv5.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
php7.4, php8.1, php8.2 vulnerabilities
osv·2024-05-02·CVSS 5.5
CVE-2022-4900 php7.4, php8.1, php8.2 vulnerabilities
php7.4, php8.1, php8.2 vulnerabilities
USN-6757-1 fixed vulnerabilities in PHP. Unfortunately these fixes were incomplete for
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10. This update fixes the problem.
Original advisory details:
It was discovered that PHP incorrectly handled PHP_CLI_SERVER_WORKERS variable.
An attacker could possibly use this issue to cause a crash or execute
arbitrary code. This issue only affected Ubuntu 20.04 LTS, and
Ubuntu 22.04 LTS. (CVE-2022-4900)
It was discovered that PHP incorrectly handled certain cookies.
An attacker could possibly use this issue to cookie by pass.
(CVE-2024-2756)
It was discovered that PHP incorrectly handled some passwords.
An attacker could possibly use this issue to cause an account takeover
attack. (CVE-2024-3096)
OSV
php7.0, php7.2, php7.4, php8.1 vulnerabilities
osv·2024-04-29·CVSS 5.5
CVE-2022-4900 php7.0, php7.2, php7.4, php8.1 vulnerabilities
php7.0, php7.2, php7.4, php8.1 vulnerabilities
It was discovered that PHP incorrectly handled PHP_CLI_SERVER_WORKERS variable.
An attacker could possibly use this issue to cause a crash or execute
arbitrary code. This issue only affected Ubuntu 20.04 LTS, and
Ubuntu 22.04 LTS. (CVE-2022-4900)
It was discovered that PHP incorrectly handled certain cookies.
An attacker could possibly use this issue to cookie by pass.
(CVE-2024-2756)
It was discovered that PHP incorrectly handled some passwords.
An attacker could possibly use this issue to cause an account takeover
attack. (CVE-2024-3096)
GHSA
GHSA-v6vr-jvvr-p4m5: Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0
ghsa_unreviewed·2022-08-11
CVE-2022-2756 [MEDIUM] CWE-918 GHSA-v6vr-jvvr-p4m5: Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0
Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1.
Red Hat
php: host/secure cookie bypass due to partial CVE-2022-31629 fix
vendor_redhat·2024-04-12·CVSS 6.5
CVE-2024-2756 [MEDIUM] CWE-20 php: host/secure cookie bypass due to partial CVE-2022-31629 fix
php: host/secure cookie bypass due to partial CVE-2022-31629 fix
Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.
An improper input validation vulnerability was found in PHP. Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser.
Statement: The vulnerability in PHP, where an insecure cookie is misinterpreted as a __Host- or __Secure- cookie due to the incomplete fix for CVE-2022-31629, poses a moderate severity risk. While it allows attackers to set cookies with misleading prefixes, bypassing some cooki
Microsoft
__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
vendor_msrc·2024-04-09·CVSS 6.5
CVE-2024-2756 [MEDIUM] CWE-20 __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
php: php
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https:/
No detection rules found.
Nuclei
Kavita <0.5.4.1 - Server-Side Request Forgery
nuclei·CVSS 6.5
CVE-2022-2756 [MEDIUM] Kavita <0.5.4.1 - Server-Side Request Forgery
Kavita <0.5.4.1 - Server-Side Request Forgery
Kavita before 0.5.4.1 is susceptible to server-side request forgery in GitHub repository kareadita/kavita. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2022-2756
info:
name: Kavita <0.5.4.1 - Server-Side Request Forgery
author: theamanrawat
severity: medium
description: |
Kavita before 0.5.4.1 is susceptible to server-side request forgery in GitHub repository kareadita/kavita. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
impact: |
Successful exploitation of this vulnerability can result in unauthori
No writeups or analysis indexed.
2022-08-10
Published