Platform
other
Component
akana-api-platform
Fixed in
2022.1.1 (CVE-2024-2796 Patch)
2022.1.2 (CVE-2024-2796 Patch)
2024.1.0
2022.1.3.2
A server-side request forgery (SSRF) vulnerability has been identified in Akana API Platform versions prior to and including 2022.1.3. This flaw allows an attacker to manipulate the application into making requests to unintended internal or external resources, potentially leading to unauthorized access and data exposure. The vulnerability affects versions 0.0.0 through 2024.1.0, and a patch is available in version 2024.1.0.
The SSRF vulnerability in Akana API Platform allows an attacker to craft malicious requests that the server will execute on their behalf. This can be exploited to access internal services and resources that are not directly exposed to the internet, such as internal databases, configuration files, or administrative interfaces. An attacker could potentially read sensitive data, modify configurations, or even gain control of the underlying infrastructure. The impact is particularly severe if the API Platform is used to manage sensitive data or integrate with critical internal systems. Successful exploitation could lead to a complete compromise of the API Platform and potentially the entire network.
This vulnerability was reported by Jakob Antonsson. As of the current date, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The public disclosure date is 2024-04-18, indicating a relatively recent discovery and potential for ongoing investigation and exploitation.
Exploit Status
EPSS
0.29% (52% percentile)
CVSS Vector
The primary mitigation for CVE-2024-2796 is to upgrade to Akana API Platform version 2024.1.0 or later, which contains the fix. If upgrading immediately is not possible, consider implementing temporary workarounds such as restricting outbound network access from the API Platform to only necessary destinations. Implement strict input validation and sanitization to prevent attackers from manipulating the request URLs. Consider deploying a Web Application Firewall (WAF) with SSRF protection rules to filter malicious requests. Monitor API Platform logs for unusual outbound requests that may indicate exploitation attempts.
Update Akana API Platform to version 2024.1.0 or later. Apply the available CVE-2024-2796 patches for versions 2022.1.1 and 2022.1.2 if you cannot update immediately. Refer to the vendor security advisory for detailed instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-2796 is a critical server-side request forgery vulnerability in Akana API Platform versions 0.0.0–2024.1.0, allowing attackers to make requests to unintended resources.
If you are using Akana API Platform versions 0.0.0 through 2024.1.0, you are potentially affected by this SSRF vulnerability.
Upgrade to Akana API Platform version 2024.1.0 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the Akana API Platform security advisories for the most up-to-date information and official guidance regarding CVE-2024-2796.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.