CWE-918 - Server-Side Request Forgery (SSRF)

Description

The web server gets a URL from an upstream component and reads it. Under the influence of the weakness server can't garantee that data analyzed were transmitted to the proper destination.
After getting URLs to unknown ports and hosts by attackers, the server sends requests, trying to bypass URLs access control. Web servers can also play a role of proxy, applied for port scanning of hosts in internal networks and using additional websites or protocols, allowing to get access to the documents and control contents of requests.
The vulnerability has the biggest influence on integrity and confidentiality of the data and allows attackers not only to steal data, but also perform anathorized actions.
The weakness is introduced during Architecture and Design, Implementation stages.

Latest vulnerabilities for CWE-918

Multiple vulnerabilities in IBM Integration Designer 2024-04-23
High Yes

Multiple vulnerabilities in IBM Observability with Instana 2024-04-19
Medium Yes

Multiple vulnerabilities in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty 2024-04-18
High Yes

Bamboo Data Center and Server update for Spring Framework spring-web 2024-04-17
Medium Yes

Bamboo Data Center and Server update for Spring Framework 2024-04-17
Medium Yes

SolarWinds Web Help Desk update for third-party components 2024-04-17
Medium Yes

Oracle Solaris update for thrid-party components 2024-04-17
High Yes

Multiple vulnerabilities in Oracle Communications Cloud Native Core Console 2024-04-16
Medium Yes

Multiple vulnerabilities in Primavera Unifier 2024-04-16
Medium Yes

Multiple vulnerabilities in Oracle Commerce Platform 2024-04-16
Medium Yes

References

Description of CWE-918 on Mitre website