EIQ-2018-0018
ID |
EIQ-2018-0018 (Former ref.: 25752, 25753) |
CVE |
- |
Description |
Incoming feed with HTTP download could give access to internal components |
Date |
- |
Severity |
2 - MEDIUM |
CVSSv3 score |
CVSSv3 score not available on NIST NVD. |
Status |
2.6.0 |
Assessment |
An incoming feed using the HTTP download transport type can access internal components. A signed-in platform user with admin access rights could use server-side request forgery (SSRF) to probe the internal network, and to search for open ports that HTTP services listen on. For example, a user could set the transport configuration URL to http://localhost:9001/index.html?processname=platform-api&action=stop to reach the platform-api component and stop it upon running the incoming feed task. |
Mitigation |
Possible workarounds to mitigate the issue:
|
Affected versions |
2.3.0 to 2.5.0 included. |
Notes |
- |
< Back to all security issues and mitigation actions
In release notes 2.6.0