CVE-2023-27159
published 2023-03-31CVE-2023-27159: Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /v1/avatars/favicon. This vulnerability allows attackers…
PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.17%
98.3th percentile
Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /v1/avatars/favicon. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| appwrite | appwrite | <= 1.4.13 | — |
| appwrite | appwrite | <= 1.2.1 | — |
| appwrite | server-ce | 0 – 1.2.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/v1/avatars/favicon?url=http://{{interactsh-url}}
path/v1/avatars/favicon
yara
shodan-query: title:"Sign In - Appwrite" / http.title:"sign in - appwrite"
- →Detect SSRF exploitation attempts by monitoring GET requests to the '/v1/avatars/favicon' endpoint with an external or internal URL supplied in the 'url' parameter.
- →Outbound HTTP requests originating from the server with the User-Agent string 'Appwrite-Server' in response to requests to '/v1/avatars/favicon' indicate active SSRF exploitation.
- →Use Shodan queries 'title:"Sign In - Appwrite"' or 'http.title:"sign in - appwrite"' or favicon hash '-633108100' to identify exposed Appwrite instances for targeted scanning.
- →Use FOFA query 'icon_hash=-633108100' or 'title="sign in - appwrite"' to enumerate internet-facing Appwrite instances potentially vulnerable to this SSRF.
- →The vulnerability is unauthenticated (PR:N, UI:N); no authentication is required to trigger the SSRF via the favicon endpoint. ↗
- →CVE-2024-1063 is a bypass of the incomplete fix for CVE-2023-27159; both affect the same '/v1/avatars/favicon' endpoint. Ensure patching covers Appwrite <= 1.4.13 as well as <= 1.2.1. ↗
- ·The SSRF affects Appwrite through version 1.2.1 for CVE-2023-27159, and the incomplete fix was bypassed up to version 1.4.13 (CVE-2024-1063). The attack surface is the same endpoint in both cases.
- ·The Nuclei template uses OOB/interactsh-based detection; a DNS/HTTP callback to an interactsh server from the target confirms exploitation. Ensure OOB infrastructure is available when running this check.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vrjf-gppf-qvj4: Appwrite <= v1
ghsa_unreviewed·2024-01-30·CVSS 7.5
CVE-2024-1063 [HIGH] CWE-918 GHSA-vrjf-gppf-qvj4: Appwrite <= v1
Appwrite <= v1.4.13 is affected by a Server-Side Request Forgery (SSRF) via the '/v1/avatars/favicon' endpoint due to an incomplete fix of CVE-2023-27159.
GHSA
Appwrite Server-Side Request Forgery vulnerability
ghsa·2023-03-31
CVE-2023-27159 [HIGH] CWE-918 Appwrite Server-Side Request Forgery vulnerability
Appwrite Server-Side Request Forgery vulnerability
Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component `/v1/avatars/favicon`. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request.
OSV
Appwrite Server-Side Request Forgery vulnerability
osv·2023-03-31
CVE-2023-27159 [HIGH] Appwrite Server-Side Request Forgery vulnerability
Appwrite Server-Side Request Forgery vulnerability
Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component `/v1/avatars/favicon`. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request.
VulnCheck
appwrite appwrite Server-Side Request Forgery (SSRF)
vulncheck·2023·CVSS 7.5
CVE-2023-27159 [HIGH] appwrite appwrite Server-Side Request Forgery (SSRF)
appwrite appwrite Server-Side Request Forgery (SSRF)
Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /v1/avatars/favicon. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request.
Affected: appwrite appwrite
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-04&host_type=src&vulnerability=cve-2023-27159; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-25&host_type=src&vulnerability=cve-2023-27159; https://dashboard.shadowser
No detection rules found.
Nuclei
Appwrite <=1.2.1 - Server-Side Request Forgery
nuclei·CVSS 7.5
CVE-2023-27159 [HIGH] Appwrite <=1.2.1 - Server-Side Request Forgery
Appwrite <=1.2.1 - Server-Side Request Forgery
Appwrite through 1.2.1 is susceptible to server-side request forgery via the component /v1/avatars/favicon. An attacker can potentially access network resources and sensitive information via a crafted GET request, thereby also making it possible to modify data and/or execute unauthorized administrative operations in the context of the affected site.
Template:
id: CVE-2023-27159
info:
name: Appwrite <=1.2.1 - Server-Side Request Forgery
author: DhiyaneshDk
severity: high
description: |
Appwrite through 1.2.1 is susceptible to server-side request forgery via the component /v1/avatars/favicon. An attacker can potentially access network resources and sensitive information via a crafted GET request, thereby also making it possible to modify dat
http://appwrite.comhttps://gist.github.com/b33t1e/43b26c31e895baf7e7aea2dbf9743a9ahttps://gist.github.com/b33t1e/e9e8192317c111e7897e04d2f9bf5fdbhttps://github.com/appwrite/appwritehttps://notes.sjtu.edu.cn/gMNlpByZSDiwrl9uZyHTKAhttp://appwrite.comhttps://gist.github.com/b33t1e/43b26c31e895baf7e7aea2dbf9743a9ahttps://gist.github.com/b33t1e/e9e8192317c111e7897e04d2f9bf5fdbhttps://github.com/appwrite/appwritehttps://notes.sjtu.edu.cn/gMNlpByZSDiwrl9uZyHTKA
2023-03-31
Published
Exploited in the wild