cbcvebase.
CVE-2024-1021
published 2024-01-29

CVE-2024-1021: A vulnerability, which was classified as critical, has been found in Rebuild up to 3.5.5. Affected by this issue is the function readRawText of the component…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
34.96%
98.2th percentile
A vulnerability, which was classified as critical, has been found in Rebuild up to 3.5.5. Affected by this issue is the function readRawText of the component HTTP Request Handler. The manipulation of the argument url leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252290 is the identifier assigned to this vulnerability.

Affected

15 ranges
VendorProductVersion rangeFixed in
gitlabgitlab
gitlabgitlab_ce
msrcazl3_mozjs_102.15.1-1_on_azure_linux_3.0
msrcmicrosoft_edge
msrcmicrosoft_edge_extended_stable
msrcmicrosoft_edge_for_android
ploneplone>= 0 < 6.0.76.0.7
ruifang-techrebuild<= 3.5.5
ruifang-techrebuild
ruifang-techrebuild
ruifang-techrebuild
ruifang-techrebuild
ruifang-techrebuild
ruifang-techrebuild
zenmlzenml>= 0 < 0.56.30.56.3

Detection & IOCsextracted from sources · hover to see the quote

sigma
condition: and
- contains(body_1, ' Interactsh Server ')
- !contains(body_1, ' Interactsh Server ')
- status_code_2 == 200
  • The vulnerability targets the `readRawText` function in Rebuild's HTTP Request Handler via manipulation of the `url` argument, enabling Server-Side Request Forgery (SSRF). Monitor outbound HTTP requests originating from the Rebuild application server to internal or unexpected external hosts.
  • The exploit uses an out-of-band interaction technique (Interactsh) to confirm SSRF. Detect by monitoring for Rebuild server-initiated DNS/HTTP callbacks to Interactsh infrastructure or similar OOB services.
  • The exploit has been publicly disclosed and may be actively used against Rebuild versions up to and including 3.5.5. Prioritize detection on instances running these versions.
  • ·Affected versions are Rebuild up to 3.5.5; the SSRF is triggered remotely without authentication requirements mentioned, broadening the attack surface.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.3MEDIUM
vendor_redhat8.8HIGH
vendor_msrc6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.