CVE-2023-46725

FoodCoopShop is open source software for food coops and local shops. Versions starting with 3.2.0 prior to 3.6.1 are vulnerable to server-side request forgery. In the Network module, a manufacturer account can use the `/api/updateProducts.json` endpoint to make the server send a request to an arbitrary host. This means that the server can be used as a proxy into the internal network where the server is. Furthermore, the checks on a valid image are not adequate, leading to a time of check time of use issue. For example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file is at the redirect destination, making this a full SSRF. Version 3.6.1 fixes this vulnerability.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808	Patch
https://github.com/foodcoopshop/foodcoopshop/pull/972	Patch
https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7	Vendor Advisory
https://pastebin.com/8K5Brwbq	Not Applicable
https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808	Patch
https://github.com/foodcoopshop/foodcoopshop/pull/972	Patch
https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7	Vendor Advisory
https://pastebin.com/8K5Brwbq	Not Applicable

Configurations

Configuration 1 (hide)

cpe:2.3:a:foodcoopshop:foodcoopshop:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:29

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-02 15:15

Updated : 2024-11-21 08:29

NVD link : CVE-2023-46725

Mitre link : CVE-2023-46725

CVE.ORG link : CVE-2023-46725

JSON object : View

Products Affected

foodcoopshop

foodcoopshop

CWE

CWE-918

Server-Side Request Forgery (SSRF)

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

{"id": "CVE-2023-46725", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}]}, "published": "2023-11-02T15:15:08.847", "references": [{"url": "https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/foodcoopshop/foodcoopshop/pull/972", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://pastebin.com/8K5Brwbq", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}, {"url": "https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/foodcoopshop/foodcoopshop/pull/972", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://pastebin.com/8K5Brwbq", "tags": ["Not Applicable"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-367"}, {"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "FoodCoopShop is open source software for food coops and local shops. Versions starting with 3.2.0 prior to 3.6.1 are vulnerable to server-side request forgery. In the Network module, a manufacturer account can use the `/api/updateProducts.json` endpoint to make the server send a request to an arbitrary host. This means that the server can be used as a proxy into the internal network where the server is. Furthermore, the checks on a valid image are not adequate, leading to a time of check time of use issue. For example, by using a custom server that returns 200 on HEAD requests, then return a valid image on first GET request and then a 302 redirect to final target on second GET request, the server will copy whatever file is at the redirect destination, making this a full SSRF. Version 3.6.1 fixes this vulnerability."}, {"lang": "es", "value": "FoodCoopShop es un software de c\u00f3digo abierto para cooperativas de alimentos y tiendas locales. Las versiones que comienzan con 3.2.0 anteriores a 3.6.1 son vulnerables a server-side request forgery. En el m\u00f3dulo de Network, una cuenta de fabricante puede usar el endpoint `/api/updateProducts.json` para hacer que el servidor env\u00ede una solicitud a un host arbitrario. Esto significa que el servidor se puede utilizar como proxy en la red interna donde se encuentra el servidor. Adem\u00e1s, las comprobaciones de una imagen v\u00e1lida no son adecuadas, lo que genera un problema de tiempo de verificaci\u00f3n de uso. Por ejemplo, al usar un servidor personalizado que devuelve 200 en solicitudes HEAD, luego devuelve una imagen v\u00e1lida en la primera solicitud GET y luego una redirecci\u00f3n 302 al destino final en la segunda solicitud GET, el servidor copiar\u00e1 cualquier archivo que est\u00e9 en el destino de la redirecci\u00f3n, haciendo Esta es una SSRF completa. La versi\u00f3n 3.6.1 corrige esta vulnerabilidad."}], "lastModified": "2024-11-21T08:29:09.810", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:foodcoopshop:foodcoopshop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3F749AE9-CD3D-408F-ADA7-47D384325618", "versionEndIncluding": "3.6.0", "versionStartIncluding": "3.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}