Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05eDdoLWdnYzMteGc0N84AAzHz
imgproxy is vulnerable to Server-Side Request Forgery
imgproxy prior to version 3.15.0 is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of sanitization of the imageURL parameter.
Permalink: https://github.com/advisories/GHSA-9x7h-ggc3-xg47JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05eDdoLWdnYzMteGc0N84AAzHz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 12 months ago
Updated: 6 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-9x7h-ggc3-xg47, CVE-2023-30019
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-30019
- https://breakandpray.com/cve-2023-30019-ssrf-in-imgproxy/
- https://github.com/imgproxy/imgproxy/commit/1a9768a2c682e88820064aa3d9a05ea234ff3cc4
- https://github.com/imgproxy/imgproxy/blob/ee9e8f0cb101ec22318caffd552a23cc0548d5ce/imagedata/download.go#L142
- https://github.com/advisories/GHSA-9x7h-ggc3-xg47
Blast Radius: 1.0
Affected Packages
go:github.com/imgproxy/imgproxy/v3
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 3.15.0
Fixed in: 3.15.0
All affected versions: 3.0.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.5.0, 3.5.1, 3.6.0, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.9.0, 3.10.0, 3.11.0, 3.12.0, 3.13.0, 3.13.1, 3.13.2, 3.14.0
All unaffected versions: 3.15.0, 3.16.0, 3.16.1, 3.17.0, 3.18.0, 3.18.1, 3.18.2, 3.19.0, 3.20.0, 3.21.0, 3.22.0, 3.23.0, 3.24.0, 3.24.1