Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tZ3Y4LXc0OWYtODIyd84AA69_
Mautic: MST-48 Server-Side Request Forgery in Asset section
Impact
Prior to the patched version, an authenticated user of Mautic could read system files and access the internal addresses of the application due to a Server-Side Request Forgery (SSRF) vulnerability.
Patches
Update to 4.4.12 or 5.0.4
Workarounds
None
References
If you have any questions or comments about this advisory:
Email us at [email protected]
Permalink: https://github.com/advisories/GHSA-mgv8-w49f-822wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tZ3Y4LXc0OWYtODIyd84AA69_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 4 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
EPSS Percentage: 0.00043
EPSS Percentile: 0.10511
Identifiers: GHSA-mgv8-w49f-822w, CVE-2022-25777
References:
- https://github.com/mautic/mautic/security/advisories/GHSA-mgv8-w49f-822w
- https://github.com/mautic/mautic/commit/b4b4ab5f0613854152ceb7b5e5228acf50648fd0
- https://github.com/mautic/mautic/commit/c54befd9eaaa49e4fc10a0fe22435c09ef2821b2
- https://nvd.nist.gov/vuln/detail/CVE-2022-25777
- https://github.com/advisories/GHSA-mgv8-w49f-822w
Blast Radius: 3.1
Affected Packages
packagist:mautic/core
Dependent packages: 2Dependent repositories: 3
Downloads: 2,009 total
Affected Version Ranges: >= 5.0.0-alpha, < 5.0.4, >= 1.0.0-beta4, < 4.4.12
Fixed in: 5.0.4, 4.4.12
All affected versions: 1.0.0, 1.0.0-beta4, 1.0.0-rc1, 1.0.0-rc2, 1.0.0-rc3, 1.0.0-rc4, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 5.0.0, 5.0.0-alpha, 5.0.0-alpha1, 5.0.0-beta1, 5.0.0-beta2, 5.0.0-rc1, 5.0.0-rc2, 5.0.1, 5.0.2, 5.0.3
All unaffected versions: 4.4.12, 4.4.13, 5.0.4, 5.1.0, 5.1.1, 5.2.0, 5.2.1