CVE-2024-31215
published 2024-04-04CVE-2024-31215: Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A SSRF vulnerability in firebase…
PriorityP421medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.51%
39.5th percentile
Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile.
A SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mobsf | mobile-security-framework-mobsf | <= 3.9.7 | — |
| opensecurity | mobile_security_framework | < 3.9.8 | 3.9.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Mobile Security Framework (MobSF) vulnerable to SSRF in firebase database check
osv·2024-04-04
CVE-2024-31215 [MEDIUM] Mobile Security Framework (MobSF) vulnerable to SSRF in firebase database check
Mobile Security Framework (MobSF) vulnerable to SSRF in firebase database check
### Impact
_What kind of vulnerability is it? Who is impacted?_
SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When malicious app is uploaded to Static analyzer, it is possible to make internal requests.
Credits: Oleg Surnin (Positive Technologies).
### Patches
_Has the problem been patched? What versions should users upgrade to?_
v3.9.8 and above
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
Code level patch
### References
_Are there any links users can visit to find out more?_
https://github.com/MobSF/Mobile-Security-Framewo
GHSA
Mobile Security Framework (MobSF) vulnerable to SSRF in firebase database check
ghsa·2024-04-04
CVE-2024-31215 [MEDIUM] CWE-918 Mobile Security Framework (MobSF) vulnerable to SSRF in firebase database check
Mobile Security Framework (MobSF) vulnerable to SSRF in firebase database check
### Impact
_What kind of vulnerability is it? Who is impacted?_
SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When malicious app is uploaded to Static analyzer, it is possible to make internal requests.
Credits: Oleg Surnin (Positive Technologies).
### Patches
_Has the problem been patched? What versions should users upgrade to?_
v3.9.8 and above
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
Code level patch
### References
_Are there any links users can visit to find out more?_
https://github.com/MobSF/Mobile-Security-Framewo
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cxhttps://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx
2024-04-04
Published