ByteOS Network

Vulnerability Details :

CVE-2022-39241

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-02 Nov, 2022 | 00:00

Updated At-23 Apr, 2025 | 16:41

Possible Server-Side Request Forgery (SSRF) in webhooks

Discourse is a platform for community discussion. A malicious admin could use this vulnerability to perform port enumeration on the local host or other hosts on the internal network, as well as against hosts on the Internet. Latest `stable`, `beta`, and `test-passed` versions are now patched. As a workaround, self-hosters can use `DISCOURSE_BLOCKED_IP_BLOCKS` env var (which overrides `blocked_ip_blocks` setting) to stop webhooks from accessing private IPs.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:GitHub_M

Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa

Published At:02 Nov, 2022 | 00:00

Updated At:23 Apr, 2025 | 16:41

▼CVE Numbering Authority (CNA)

Possible Server-Side Request Forgery (SSRF) in webhooks

Affected Products

Vendor

Civilized Discourse Construction Kit, Inc.

Product

discourse

Versions

Affected

<= 2.8.9
<= 2.9.0.beta10

Problem Types

Type	CWE ID	Description
CWE	CWE-918	CWE-918: Server-Side Request Forgery (SSRF)

Type: CWE

CWE ID: CWE-918

Description: CWE-918: Server-Side Request Forgery (SSRF)

Metrics

Version	Base score	Base severity	Vector
3.1	7.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

Version: 3.1

Base score: 7.6

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

References

Hyperlink	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr	N/A

Hyperlink: https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr

Resource: N/A

▼Authorized Data Publishers (ADP)

1. CVE Program Container

References

Hyperlink	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr	x_transferred

Hyperlink: https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr

Resource:

x_transferred

2. CISA ADP Vulnrichment

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security-advisories@github.com

Published At:02 Nov, 2022 | 17:15

Updated At:04 Nov, 2022 | 15:37

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	4.9	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Secondary	3.1	7.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

Type: Primary

Version: 3.1

Base score: 4.9

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 7.6

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N

CPE Matches

Civilized Discourse Construction Kit, Inc.

>>discourse>>Versions before 2.8.10(exclusive)

cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>2.9.0

cpe:2.3:a:discourse:discourse:2.9.0:beta1:*:*:*:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>2.9.0

cpe:2.3:a:discourse:discourse:2.9.0:beta10:*:*:*:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>2.9.0

cpe:2.3:a:discourse:discourse:2.9.0:beta2:*:*:*:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>2.9.0

cpe:2.3:a:discourse:discourse:2.9.0:beta3:*:*:*:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>2.9.0

cpe:2.3:a:discourse:discourse:2.9.0:beta4:*:*:*:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>2.9.0

cpe:2.3:a:discourse:discourse:2.9.0:beta5:*:*:*:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>2.9.0

cpe:2.3:a:discourse:discourse:2.9.0:beta6:*:*:*:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>2.9.0

cpe:2.3:a:discourse:discourse:2.9.0:beta7:*:*:*:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>2.9.0

cpe:2.3:a:discourse:discourse:2.9.0:beta8:*:*:*:*:*:*

Civilized Discourse Construction Kit, Inc.

>>discourse>>2.9.0

cpe:2.3:a:discourse:discourse:2.9.0:beta9:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-918	Primary	nvd@nist.gov
CWE-918	Secondary	security-advisories@github.com

CWE ID: CWE-918

Type: Primary

Source: nvd@nist.gov

CWE ID: CWE-918

Type: Secondary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr	security-advisories@github.com	Third Party Advisory

Hyperlink: https://github.com/discourse/discourse/security/advisories/GHSA-rcc5-28r3-23rr

Source: security-advisories@github.com

Resource:

Third Party Advisory

Similar CVEs

53Records found

CVE-2023-29292

Matching Score-4

Assigner-Adobe Systems Incorporated

View Details

Matching Score-4

Assigner-Adobe Systems Incorporated

CVSS Score-4.9||MEDIUM

EPSS-0.35% / 57.10%

7 Day CHG~0.00%

Published-15 Jun, 2023 | 00:00

Updated-05 Mar, 2025 | 18:56

Server Side Request Forgery (SSRF) in FedEx carrier integration configuration

Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.

Vendor-Adobe Inc.

Product-magento commerce Magento Commerce

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2021-32698

Matching Score-4

Assigner-GitHub, Inc.

View Details

Matching Score-4

Assigner-GitHub, Inc.

CVSS Score-6.8||MEDIUM

EPSS-0.26% / 49.18%

7 Day CHG~0.00%

Published-21 Jun, 2021 | 21:15

Updated-03 Aug, 2024 | 23:25

Blind Server-Side Request Forgery (SSRF) in eLabFTW

eLabFTW is an open source electronic lab notebook for research labs. This vulnerability allows an attacker to make GET requests on behalf of the server. It is "blind" because the attacker cannot see the result of the request. Issue has been patched in eLabFTW 4.0.0.

Vendor-elabftw elabftw

Product-elabftw elabftw

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2024-52588

Matching Score-4

Assigner-GitHub, Inc.

View Details

Matching Score-4

Assigner-GitHub, Inc.

CVSS Score-4.9||MEDIUM

EPSS-0.10% / 28.18%

7 Day CHG+0.03%

Published-29 May, 2025 | 09:02

Updated-29 May, 2025 | 14:29

Strapi allows Server-Side Request Forgery in Webhook function

Strapi is an open-source content management system. Prior to version 4.25.2, inputting a local domain into the Webhooks URL field leads to the application fetching itself, resulting in a server side request forgery (SSRF). This issue has been patched in version 4.25.2.

Vendor-Strapi, Inc.

Product-strapi

CWE ID-CWE-918

Server-Side Request Forgery (SSRF)

CVE-2022-39241

Credits

Possible Server-Side Request Forgery (SSRF) in webhooks

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs