CVE-2022-40083
published 2022-09-28CVE-2022-40083: Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by…
PriorityP348critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EXPLOIT
EPSS
2.31%
81.2th percentile
Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-labstack-echo | < golang-github-labstack-echo 4.11.1-1 (forky) | golang-github-labstack-echo 4.11.1-1 (forky) |
| debian | golang-github-labstack-echo.v2 | < golang-github-labstack-echo 4.11.1-1 (forky) | golang-github-labstack-echo 4.11.1-1 (forky) |
| debian | golang-github-labstack-echo.v3 | < golang-github-labstack-echo 4.11.1-1 (forky) | golang-github-labstack-echo 4.11.1-1 (forky) |
| github.com | labstack_echo_v4 | >= 0 < 4.9.0 | 4.9.0 |
| labstack | echo | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}//interactsh.com%2f..
- →Send a GET request with a double-slash path containing a URL-encoded slash followed by '..': //interactsh.com%2f.. — a vulnerable Labstack Echo 4.8.0 Static Handler will respond with HTTP 301 and a Location header matching ^\s*//interactsh.com/\..
- →The vulnerability is specifically in the Static Handler component of Labstack Echo 4.8.0; monitor for double-slash redirect patterns in HTTP 301 responses originating from Echo-based applications. ↗
- ·The Nuclei template targets interactsh.com as the redirect destination for detection; in production scanning, replace with a controlled out-of-band interaction server to avoid unintended external requests.
- ·Fixed versions include Echo 4.9.0+ (upstream) and 4.11.1-1 (Debian); detections should be scoped to instances running exactly 4.8.0 or earlier unfixed releases. ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
osv9.6CRITICAL
vendor_debian9.6CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Open redirect in github.com/labstack/echo/v4
osv·2022-10-11
CVE-2022-40083 Open redirect in github.com/labstack/echo/v4
Open redirect in github.com/labstack/echo/v4
Labstack Echo contains an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).
OSV
Labstack Echo Open Redirect vulnerability
osv·2022-09-29
CVE-2022-40083 [CRITICAL] Labstack Echo Open Redirect vulnerability
Labstack Echo Open Redirect vulnerability
Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF). Version 4.9.0 contains a patch for the issue.
GHSA
Labstack Echo Open Redirect vulnerability
ghsa·2022-09-29
CVE-2022-40083 [CRITICAL] CWE-601 Labstack Echo Open Redirect vulnerability
Labstack Echo Open Redirect vulnerability
Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF). Version 4.9.0 contains a patch for the issue.
OSV
CVE-2022-40083: Labstack Echo v4
osv·2022-09-28·CVSS 9.6
CVE-2022-40083 [CRITICAL] CVE-2022-40083: Labstack Echo v4
Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).
Debian
CVE-2022-40083: golang-github-labstack-echo - Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability vi...
vendor_debian·2022·CVSS 9.6
CVE-2022-40083 [CRITICAL] CVE-2022-40083: golang-github-labstack-echo - Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability vi...
Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).
Scope: local
bookworm: open
forky: resolved (fixed in 4.11.1-1)
sid: resolved (fixed in 4.11.1-1)
trixie: resolved (fixed in 4.11.1-1)
No detection rules found.
Nuclei
Labstack Echo 4.8.0 - Open Redirect
nuclei·CVSS 9.6
CVE-2022-40083 [CRITICAL] Labstack Echo 4.8.0 - Open Redirect
Labstack Echo 4.8.0 - Open Redirect
Labstack Echo 4.8.0 contains an open redirect vulnerability via the Static Handler component. An attacker can leverage this vulnerability to cause server-side request forgery, making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2022-40083
info:
name: Labstack Echo 4.8.0 - Open Redirect
author: pdteam
severity: critical
description: |
Labstack Echo 4.8.0 contains an open redirect vulnerability via the Static Handler component. An attacker can leverage this vulnerability to cause server-side request forgery, making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations.
impact: |
Successful exploitation of this vulnerability could lead to ph
No writeups or analysis indexed.
2022-09-28
Published