Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tZ3Y4LXc0OWYtODIyd84AA69_
Mautic: MST-48 Server-Side Request Forgery in Asset section
Impact
Prior to the patched version, an authenticated user of Mautic could read system files and access the internal addresses of the application due to a Server-Side Request Forgery (SSRF) vulnerability.
Patches
Update to 4.4.12 or 5.0.4
Workarounds
None
References
If you have any questions or comments about this advisory:
Email us at [email protected]
Permalink: https://github.com/advisories/GHSA-mgv8-w49f-822wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tZ3Y4LXc0OWYtODIyd84AA69_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 21 days ago
Updated: 21 days ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
Identifiers: GHSA-mgv8-w49f-822w, CVE-2022-25777
References:
- https://github.com/mautic/mautic/security/advisories/GHSA-mgv8-w49f-822w
- https://github.com/mautic/mautic/commit/b4b4ab5f0613854152ceb7b5e5228acf50648fd0
- https://github.com/mautic/mautic/commit/c54befd9eaaa49e4fc10a0fe22435c09ef2821b2
- https://github.com/advisories/GHSA-mgv8-w49f-822w
Blast Radius: 3.1
Affected Packages
packagist:mautic/core
Dependent packages: 2Dependent repositories: 3
Downloads: 1,952 total
Affected Version Ranges: >= 5.0.0-alpha, < 5.0.4, >= 1.0.0-beta4, < 4.4.12
Fixed in: 5.0.4, 4.4.12
All affected versions: 1.0.0, 1.0.0-beta4, 1.0.0-rc1, 1.0.0-rc2, 1.0.0-rc3, 1.0.0-rc4, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 2.8.0, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.9.2, 2.10.0, 2.10.1, 2.11.0, 2.12.0, 2.12.1, 2.12.2, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.14.2, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.16.0, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.4.10, 4.4.11, 5.0.0, 5.0.0-alpha, 5.0.0-alpha1, 5.0.0-beta1, 5.0.0-beta2, 5.0.0-rc1, 5.0.0-rc2, 5.0.1, 5.0.2, 5.0.3
All unaffected versions: 4.4.12, 5.0.4