Vulnerability Details CVE-2021-23718
The package ssrf-agent before 1.0.5 are vulnerable to Server-side Request Forgery (SSRF) via the defaultIpChecker function. It fails to properly validate if the IP requested is private.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 57.0%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 5.0
References
- https://github.com/welefen/ssrf-agent/blob/cec2b85fe8886ad6926a247a3e059d8369ec022b/index.js%23L13
- https://security.netapp.com/advisory/ntap-20211203-0005/
- https://snyk.io/vuln/SNYK-JS-SSRFAGENT-1584362
- https://github.com/welefen/ssrf-agent/blob/cec2b85fe8886ad6926a247a3e059d8369ec022b/index.js%23L13
- https://security.netapp.com/advisory/ntap-20211203-0005/
- https://snyk.io/vuln/SNYK-JS-SSRFAGENT-1584362
Products affected by CVE-2021-23718
-
cpe:2.3:a:ssrf-agent_project:ssrf-agent:-
-
cpe:2.3:a:ssrf-agent_project:ssrf-agent:1.0.0
-
cpe:2.3:a:ssrf-agent_project:ssrf-agent:1.0.1
-
cpe:2.3:a:ssrf-agent_project:ssrf-agent:1.0.2
-
cpe:2.3:a:ssrf-agent_project:ssrf-agent:1.0.3