Platform
java
Component
cbioportal
Opgelost in
6.0.13
CVE-2024-41668 describes a Server Side Request Forgery (SSRF) vulnerability discovered in cBioPortal for Cancer Genomics. This vulnerability allows an attacker to induce the server to make requests to arbitrary internal or external resources, potentially leading to unauthorized access and data exposure. The vulnerability affects versions of cBioPortal up to and including 6.0.11, and a fix is available in version 6.0.12.
The SSRF vulnerability in cBioPortal allows an attacker to craft malicious requests that the server will execute on their behalf. In a publicly exposed instance, this could allow an attacker to scan internal networks, access sensitive data stored behind firewalls, or even interact with internal services. Even in private, authenticated instances, logged-in users could leverage this vulnerability to access resources they shouldn't. The potential impact ranges from information disclosure to complete compromise of the underlying infrastructure, depending on the resources accessible via the SSRF. This vulnerability shares similarities with other SSRF exploits where attackers leverage the server's trust to bypass security controls.
CVE-2024-41668 was publicly disclosed on July 23, 2024. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the SSRF nature of the vulnerability makes it likely that such exploits will emerge.
Organizations running publicly accessible cBioPortal instances, particularly those with sensitive data stored on internal networks, are at significant risk. Environments where cBioPortal is integrated with other internal systems are also vulnerable, as an attacker could potentially leverage the SSRF to gain access to those systems.
• java / server: Monitor access logs for requests to the /proxy endpoint originating from unexpected sources.
grep '/proxy' /var/log/nginx/access.log | grep -v "your_trusted_ip_range"• generic web: Use curl to attempt to access internal resources through the /proxy endpoint. A successful request indicates the vulnerability is present.
curl -v http://cbioportal_server/proxy/http://internal_resourcedisclosure
Exploit Status
EPSS
0.11% (30% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-41668 is to upgrade cBioPortal to version 6.0.12 or later, which includes a fix for the SSRF vulnerability. If upgrading immediately is not possible, a temporary workaround is to disable the /proxy endpoint entirely. This can be achieved using a reverse proxy like Nginx, configuring it to block requests to the /proxy path. Ensure that your Nginx configuration explicitly denies access to this endpoint. After upgrading, verify the fix by attempting to access an internal resource through the /proxy endpoint; the request should be denied.
Update cBioPortal naar versie 6.0.12 of hoger. Als alternatief, schakel het `/proxy` endpoint uit via de configuratie van een omgekeerde proxy zoals Nginx.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-41668 is a Server Side Request Forgery vulnerability in cBioPortal versions up to 6.0.11, allowing attackers to make server-side requests and potentially access internal resources.
You are affected if you are running cBioPortal version 6.0.11 or earlier. Publicly exposed instances are at higher risk.
Upgrade to version 6.0.12 or later. As a temporary workaround, disable the /proxy endpoint using a reverse proxy like Nginx.
There is currently no indication of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the cBioPortal security advisories page for the latest information: https://www.cbioportal.org/security/
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.