Attacker Value
Low
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2014-9301

Disclosure Date: December 07, 2014
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Server-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter.

Add Assessment

1
Ratings
Technical Analysis

despite the age of this vuln, we still find vulnerable Alfresco, therefore it’s worth a quick assessment to me.

having tried to exploit /proxy?endpoint i think there is no known way to execute a “useful” attack.

endpoint parameter can be abused to only do GET, so to achieve a write against an internal endpoint you should first have to find something that accepts modification using GET. possible, but uncommon.
HTML for the requested endpoint will be sent back to the attacker, and this could be a useful information, but mostly info disclosure. again depends on what’s in internal network, still possible but uncommon to find really juicy stuff.

plus, if my skills in reading java code are good enough, a quick code review in source code revealed that just http and https protocols are supported by calling Classe. no file:// or something can be used to achieve, say, LFI.

still useful to map internal network or dirty other servers’ log, and to collect information, but this vuln has a quite limited value to me.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Vendors

  • alfresco

Products

  • alfresco

Additional Info

Technical Analysis