Products
cBioPortal for Cancer Genomics
- 6.0.12
Source
security-advisories@github.com
Tags
CVE-2024-41668 details
Last Modified : July 23, 2024, 7:15 p.m.
Description
The cBioPortal for Cancer Genomics provides visualization, analysis, and download of large-scale cancer genomics data sets. When running a publicly exposed proxy endpoint without authentication, cBioPortal could allow someone to perform a Server Side Request Forgery (SSRF) attack. Logged in users could do the same on private instances. A fix has been released in version 6.0.12. As a workaround, one might be able to disable `/proxy` endpoint entirely via, for example, nginx.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8.3 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-918 | Server-Side Request Forgery (SSRF) | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
Base Score
8.3
Exploitability Score
3.9
Impact Score
3.7
Base Severity
HIGH
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
References
| URL | Source |
|---|---|
| https://github.com/cBioPortal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5 | security-advisories@github.com |
| https://github.com/cBioPortal/cbioportal/pull/10884 | security-advisories@github.com |
| https://github.com/cBioPortal/cbioportal/releases/tag/v6.0.12 | security-advisories@github.com |
| https://github.com/cBioPortal/cbioportal/security/advisories/GHSA-9h44-r3c3-q7rm | security-advisories@github.com |
| https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2024-004 | security-advisories@github.com |