Platform
java
Component
cbioportal
Fixed in
6.0.13
CVE-2024-41668 describes a Server Side Request Forgery (SSRF) vulnerability discovered in cBioPortal for Cancer Genomics. This vulnerability allows an attacker to induce the server to make requests to arbitrary internal or external resources, potentially leading to unauthorized access and data exposure. The vulnerability affects versions of cBioPortal up to and including 6.0.11, and a fix is available in version 6.0.12.
The SSRF vulnerability in cBioPortal allows an attacker to craft malicious requests that the server will execute on their behalf. In a publicly exposed instance, this could allow an attacker to scan internal networks, access sensitive data stored behind firewalls, or even interact with internal services. Even in private, authenticated instances, logged-in users could leverage this vulnerability to access resources they shouldn't. The potential impact ranges from information disclosure to complete compromise of the underlying infrastructure, depending on the resources accessible via the SSRF. This vulnerability shares similarities with other SSRF exploits where attackers leverage the server's trust to bypass security controls.
CVE-2024-41668 was publicly disclosed on July 23, 2024. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the SSRF nature of the vulnerability makes it likely that such exploits will emerge.
Exploit Status
EPSS
0.11% (30% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-41668 is to upgrade cBioPortal to version 6.0.12 or later, which includes a fix for the SSRF vulnerability. If upgrading immediately is not possible, a temporary workaround is to disable the /proxy endpoint entirely. This can be achieved using a reverse proxy like Nginx, configuring it to block requests to the /proxy path. Ensure that your Nginx configuration explicitly denies access to this endpoint. After upgrading, verify the fix by attempting to access an internal resource through the /proxy endpoint; the request should be denied.
Update cBioPortal to version 6.0.12 or later. As an alternative, disable the `/proxy` endpoint by configuring a reverse proxy such as Nginx.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-41668 is a Server Side Request Forgery vulnerability in cBioPortal versions up to 6.0.11, allowing attackers to make server-side requests and potentially access internal resources.
You are affected if you are running cBioPortal version 6.0.11 or earlier. Publicly exposed instances are at higher risk.
Upgrade to version 6.0.12 or later. As a temporary workaround, disable the /proxy endpoint using a reverse proxy like Nginx.
There is currently no indication of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the cBioPortal security advisories page for the latest information: https://www.cbioportal.org/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.