cbcvebase.
CVE-2023-27159
published 2023-03-31

CVE-2023-27159: Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /v1/avatars/favicon. This vulnerability allows attackers…

PriorityP179high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.17%
98.3th percentile
Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /v1/avatars/favicon. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request.

Affected

3 ranges
VendorProductVersion rangeFixed in
appwriteappwrite<= 1.4.13
appwriteappwrite<= 1.2.1
appwriteserver-ce0 – 1.2.1

Detection & IOCsextracted from sources · hover to see the quote

url/v1/avatars/favicon?url=http://{{interactsh-url}}
path/v1/avatars/favicon
yara
shodan-query: title:"Sign In - Appwrite" / http.title:"sign in - appwrite"
  • Detect SSRF exploitation attempts by monitoring GET requests to the '/v1/avatars/favicon' endpoint with an external or internal URL supplied in the 'url' parameter.
  • Outbound HTTP requests originating from the server with the User-Agent string 'Appwrite-Server' in response to requests to '/v1/avatars/favicon' indicate active SSRF exploitation.
  • Use Shodan queries 'title:"Sign In - Appwrite"' or 'http.title:"sign in - appwrite"' or favicon hash '-633108100' to identify exposed Appwrite instances for targeted scanning.
  • Use FOFA query 'icon_hash=-633108100' or 'title="sign in - appwrite"' to enumerate internet-facing Appwrite instances potentially vulnerable to this SSRF.
  • The vulnerability is unauthenticated (PR:N, UI:N); no authentication is required to trigger the SSRF via the favicon endpoint.
  • CVE-2024-1063 is a bypass of the incomplete fix for CVE-2023-27159; both affect the same '/v1/avatars/favicon' endpoint. Ensure patching covers Appwrite <= 1.4.13 as well as <= 1.2.1.
  • ·The SSRF affects Appwrite through version 1.2.1 for CVE-2023-27159, and the incomplete fix was bypassed up to version 1.4.13 (CVE-2024-1063). The attack surface is the same endpoint in both cases.
  • ·The Nuclei template uses OOB/interactsh-based detection; a DNS/HTTP callback to an interactsh server from the target confirms exploitation. Ensure OOB infrastructure is available when running this check.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.