CVE-2021-25939

Public Exploit

ArangoDB - Blind SSRF when Downloading Foxx Service from URL

Description

In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature which allows downloading a Foxx service from a publicly available URL. This feature does not enforce proper filtering of requests performed internally, which can be abused by a highly-privileged attacker to perform blind SSRF and send internal requests to localhost.

Remediation

Solution:

Upgrade to ArangoDB v3.9.0-beta.1 or later

References

Link	Tags
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25939	third party advisory exploit
https://github.com/arangodb/arangodb/commit/d7b35a6884c6b2802d34d79fb2a79fb2c9ec2175	third party advisory patch
https://github.com/arangodb/arangodb/commit/d9b7f019d2435f107b19a59190bf9cc27d5f34dd	third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2021-25939?: CVE-2021-25939 has been scored as a low severity vulnerability.
How to fix CVE-2021-25939?: To fix CVE-2021-25939: Upgrade to ArangoDB v3.9.0-beta.1 or later
Is CVE-2021-25939 being actively exploited in the wild?: It is possible that CVE-2021-25939 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-25939?: CVE-2021-25939 affects arangodb arangodb.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Remediation

Category

CWE-918 – Server-Side Request Forgery (SSRF)

References

Frequently Asked Questions