6.0.13
CVE-2024-41668 describes a Server Side Request Forgery (SSRF) vulnerability discovered in cBioPortal for Cancer Genomics. This vulnerability allows an attacker to induce the server to make requests to arbitrary internal or external resources, potentially leading to unauthorized access and data exposure. The vulnerability affects versions of cBioPortal up to and including 6.0.11, and a fix is available in version 6.0.12.
The SSRF vulnerability in cBioPortal allows an attacker to craft malicious requests that the server will execute on their behalf. In a publicly exposed instance, this could allow an attacker to scan internal networks, access sensitive data stored behind firewalls, or even interact with internal services. Even in private, authenticated instances, logged-in users could leverage this vulnerability to access resources they shouldn't. The potential impact ranges from information disclosure to complete compromise of the underlying infrastructure, depending on the resources accessible via the SSRF. This vulnerability shares similarities with other SSRF exploits where attackers leverage the server's trust to bypass security controls.
CVE-2024-41668 was publicly disclosed on July 23, 2024. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the SSRF nature of the vulnerability makes it likely that such exploits will emerge.
Organizations running publicly accessible cBioPortal instances, particularly those with sensitive data stored on internal networks, are at significant risk. Environments where cBioPortal is integrated with other internal systems are also vulnerable, as an attacker could potentially leverage the SSRF to gain access to those systems.
• java / server: Monitor access logs for requests to the /proxy endpoint originating from unexpected sources.
grep '/proxy' /var/log/nginx/access.log | grep -v "your_trusted_ip_range"• generic web: Use curl to attempt to access internal resources through the /proxy endpoint. A successful request indicates the vulnerability is present.
curl -v http://cbioportal_server/proxy/http://internal_resourcedisclosure
漏洞利用状态
EPSS
0.11% (30% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-41668 is to upgrade cBioPortal to version 6.0.12 or later, which includes a fix for the SSRF vulnerability. If upgrading immediately is not possible, a temporary workaround is to disable the /proxy endpoint entirely. This can be achieved using a reverse proxy like Nginx, configuring it to block requests to the /proxy path. Ensure that your Nginx configuration explicitly denies access to this endpoint. After upgrading, verify the fix by attempting to access an internal resource through the /proxy endpoint; the request should be denied.
将 cBioPortal 更新到 6.0.12 或更高版本。或者,通过配置反向代理(如 Nginx)禁用 `/proxy` 端点。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-41668 is a Server Side Request Forgery vulnerability in cBioPortal versions up to 6.0.11, allowing attackers to make server-side requests and potentially access internal resources.
You are affected if you are running cBioPortal version 6.0.11 or earlier. Publicly exposed instances are at higher risk.
Upgrade to version 6.0.12 or later. As a temporary workaround, disable the /proxy endpoint using a reverse proxy like Nginx.
There is currently no indication of active exploitation, but the SSRF nature of the vulnerability suggests potential for future exploitation.
Refer to the cBioPortal security advisories page for the latest information: https://www.cbioportal.org/security/
上传你的 pom.xml 文件,立即知道是否受影响。