Vulnerabilities

 1 via 2 paths

Dependencies

 17

Source

 GitHub

Commit

 c1d14ea1

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Server-side Request Forgery (SSRF)

  • Vulnerable module: faraday
  • Introduced through: r10k@3.4.0

Detailed paths

  • Introduced through: shinesolutions/aem-platform-buildenv@shinesolutions/aem-platform-buildenv#c1d14ea17a489543724f6b7bd9cb98928e63d7a0 r10k@3.4.0 puppet_forge@2.3.1 faraday@0.14.0
    Remediation: Upgrade to r10k@3.15.0.
  • Introduced through: shinesolutions/aem-platform-buildenv@shinesolutions/aem-platform-buildenv#c1d14ea17a489543724f6b7bd9cb98928e63d7a0 r10k@3.4.0 puppet_forge@2.3.1 faraday_middleware@0.12.2 faraday@0.14.0

Overview

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the build_exclusive_url function in the connection.rb‎ file. An attacker can cause requests to be sent to arbitrary hosts by supplying a protocol-relative URL as input.

Workaround

This vulnerability can be mitigated by validating and sanitizing user-controlled input before passing it to request methods, such as rejecting or stripping input that starts with // followed by a non-/ character, using an allowlist of permitted path prefixes, or prepending ./ to all user-supplied paths.

Remediation

Upgrade faraday to version 2.14.1 or higher.

References

Server-side Request Forgery (SSRF) vulnerability report