cbcvebase.
CVE-2022-43140
published 2022-11-17

CVE-2022-43140: kkFileView v4.1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component…

PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
1.95%
77.7th percentile
kkFileView v4.1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component cn.keking.web.controller.OnlinePreviewController#getCorsFile. This vulnerability allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the url parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
kekingkkfileview

Detection & IOCsextracted from sources · hover to see the quote

url/getCorsFile?urlPath={{base64('https://oast.me')}}
path/getCorsFile
otherurlPath=<base64-encoded-url>
  • The SSRF endpoint is reachable via HTTP GET to /getCorsFile with a base64-encoded URL supplied in the `urlPath` query parameter. Probe for out-of-band interactions (e.g. Interactsh) to confirm exploitation.
  • A successful SSRF response body contains the string ' Interactsh Server ' — use this as a word-match indicator in automated scanners.
  • Identify exposed kkFileView instances via Shodan using the queries: http.html:"kkFileView" or http.html:"kkfileview", and via FOFA using app="kkFileView", app="kkfileview", or body="kkfileview".
  • The vulnerable Java component is cn.keking.web.controller.OnlinePreviewController#getCorsFile — monitor application logs and WAF rules for requests targeting this controller method.
  • ·The Nuclei template targets kkFileView version 4.1.0 specifically (CPE: cpe:2.3:a:keking:kkfileview:4.1.0). Confirm the installed version before treating scan results as true positives.
  • ·The detection matcher relies on an out-of-band callback to an Interactsh server. Ensure your scanning environment has outbound connectivity and a live Interactsh instance to avoid false negatives.
  • ·The urlPath parameter value must be base64-encoded; raw URLs supplied directly will not trigger the vulnerability as expected by the template.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.