CVE-2024-27927 - Vulnerability Details

Link	Providers
https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.js#L10-L14
https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.js#L7-L13
https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.js#L4-L7
https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.js#L85-L105
https://github.com/DIYgod/RSSHub/commit/a42947231104a9ec3436fc52cedb31740c9a7069
https://github.com/DIYgod/RSSHub/security/advisories/GHSA-3p3p-cgj7-vgw3

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27927", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-28T15:14:14.215Z", "datePublished": "2024-03-06T20:42:51.732Z", "dateUpdated": "2024-08-05T17:56:18.434Z"}, "containers": {"cna": {"title": "RSSHub vulnerable to SSRF in /mastodon, /zjoi, and /m4", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-3p3p-cgj7-vgw3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-3p3p-cgj7-vgw3"}, {"name": "https://github.com/DIYgod/RSSHub/commit/a42947231104a9ec3436fc52cedb31740c9a7069", "tags": ["x_refsource_MISC"], "url": "https://github.com/DIYgod/RSSHub/commit/a42947231104a9ec3436fc52cedb31740c9a7069"}, {"name": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.js#L10-L14", "tags": ["x_refsource_MISC"], "url": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.js#L10-L14"}, {"name": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.js#L7-L13", "tags": ["x_refsource_MISC"], "url": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.js#L7-L13"}, {"name": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.js#L4-L7", "tags": ["x_refsource_MISC"], "url": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.js#L4-L7"}, {"name": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.js#L85-L105", "tags": ["x_refsource_MISC"], "url": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.js#L85-L105"}], "affected": [{"vendor": "DIYgod", "product": "RSSHub", "versions": [{"version": "< 1.0.0-master.a429472", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-06T20:42:51.732Z"}, "descriptions": [{"lang": "en", "value": "RSSHub is an open source RSS feed generator. Prior to version 1.0.0-master.a429472, RSSHub allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network or conduct Denial-of-Service (DoS) attacks. The attacker can send malicious requests to a RSSHub server, to make the server send HTTP GET requests to arbitrary destinations and see partial responses. This may lead to leak the server IP address, which could be hidden behind a CDN; retrieving information in the internal network, e.g. which addresses/ports are accessible, the titles and meta descriptions of HTML pages; and denial of service amplification. The attacker could request the server to download some large files, or chain several SSRF requests in a single attacker request."}], "source": {"advisory": "GHSA-3p3p-cgj7-vgw3", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:41:55.773Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-3p3p-cgj7-vgw3", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-3p3p-cgj7-vgw3"}, {"name": "https://github.com/DIYgod/RSSHub/commit/a42947231104a9ec3436fc52cedb31740c9a7069", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DIYgod/RSSHub/commit/a42947231104a9ec3436fc52cedb31740c9a7069"}, {"name": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.js#L10-L14", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.js#L10-L14"}, {"name": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.js#L7-L13", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.js#L7-L13"}, {"name": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.js#L4-L7", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.js#L4-L7"}, {"name": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.js#L85-L105", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.js#L85-L105"}]}, {"affected": [{"vendor": "rsshub", "product": "rsshub", "cpes": ["cpe:2.3:a:rsshub:rsshub:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.0.0-master.a429472", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-05T15:40:32.279020Z", "id": "CVE-2024-27927", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T17:56:18.434Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-3p3p-cgj7-vgw3", "name": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-3p3p-cgj7-vgw3", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/DIYgod/RSSHub/commit/a42947231104a9ec3436fc52cedb31740c9a7069", "name": "https://github.com/DIYgod/RSSHub/commit/a42947231104a9ec3436fc52cedb31740c9a7069", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.js#L10-L14", "name": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.js#L10-L14", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.js#L7-L13", "name": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.js#L7-L13", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.js#L4-L7", "name": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.js#L4-L7", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.js#L85-L105", "name": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.js#L85-L105", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:41:55.773Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27927", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-05T15:40:32.279020Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:rsshub:rsshub:*:*:*:*:*:*:*:*"], "vendor": "rsshub", "product": "rsshub", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.0-master.a429472", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T17:56:05.296Z"}}], "cna": {"title": "RSSHub vulnerable to SSRF in /mastodon, /zjoi, and /m4", "source": {"advisory": "GHSA-3p3p-cgj7-vgw3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "DIYgod", "product": "RSSHub", "versions": [{"status": "affected", "version": "< 1.0.0-master.a429472"}]}], "references": [{"url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-3p3p-cgj7-vgw3", "name": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-3p3p-cgj7-vgw3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/DIYgod/RSSHub/commit/a42947231104a9ec3436fc52cedb31740c9a7069", "name": "https://github.com/DIYgod/RSSHub/commit/a42947231104a9ec3436fc52cedb31740c9a7069", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.js#L10-L14", "name": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.js#L10-L14", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.js#L7-L13", "name": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.js#L7-L13", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.js#L4-L7", "name": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.js#L4-L7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.js#L85-L105", "name": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.js#L85-L105", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "RSSHub is an open source RSS feed generator. Prior to version 1.0.0-master.a429472, RSSHub allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network or conduct Denial-of-Service (DoS) attacks. The attacker can send malicious requests to a RSSHub server, to make the server send HTTP GET requests to arbitrary destinations and see partial responses. This may lead to leak the server IP address, which could be hidden behind a CDN; retrieving information in the internal network, e.g. which addresses/ports are accessible, the titles and meta descriptions of HTML pages; and denial of service amplification. The attacker could request the server to download some large files, or chain several SSRF requests in a single attacker request."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-06T20:42:51.732Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27927", "state": "PUBLISHED", "dateUpdated": "2024-08-05T17:56:18.434Z", "dateReserved": "2024-02-28T15:14:14.215Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-06T20:42:51.732Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "RSSHub is an open source RSS feed generator. Prior to version 1.0.0-master.a429472, RSSHub allows remote attackers to use the server as a proxy to send HTTP GET requests to arbitrary targets and retrieve information in the internal network or conduct Denial-of-Service (DoS) attacks. The attacker can send malicious requests to a RSSHub server, to make the server send HTTP GET requests to arbitrary destinations and see partial responses. This may lead to leak the server IP address, which could be hidden behind a CDN; retrieving information in the internal network, e.g. which addresses/ports are accessible, the titles and meta descriptions of HTML pages; and denial of service amplification. The attacker could request the server to download some large files, or chain several SSRF requests in a single attacker request."}, {"lang": "es", "value": "RSSHub es un generador de fuentes RSS de c\u00f3digo abierto. Antes de la versi\u00f3n 1.0.0-master.a429472, RSSHub permit\u00eda a atacantes remotos utilizar el servidor como proxy para enviar solicitudes HTTP GET a objetivos arbitrarios y recuperar informaci\u00f3n en la red interna o realizar ataques de Denegaci\u00f3n de Servicio (DoS). El atacante puede enviar solicitudes maliciosas a un servidor RSSHub para hacer que el servidor env\u00ede solicitudes HTTP GET a destinos arbitrarios y vea respuestas parciales. Esto puede provocar la filtraci\u00f3n de la direcci\u00f3n IP del servidor, que podr\u00eda estar oculta detr\u00e1s de una CDN; recuperar informaci\u00f3n en la red interna, por ejemplo qu\u00e9 direcciones/puertos son accesibles, los t\u00edtulos y meta descripciones de p\u00e1ginas HTML; y denegaci\u00f3n de amplificaci\u00f3n del servicio. El atacante podr\u00eda solicitar al servidor que descargue algunos archivos grandes o encadenar varias solicitudes SSRF en una sola solicitud del atacante."}], "id": "CVE-2024-27927", "lastModified": "2024-11-21T09:05:26.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-03-21T02:52:21.703", "references": [{"source": "[email protected]", "url": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.js#L10-L14"}, {"source": "[email protected]", "url": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.js#L7-L13"}, {"source": "[email protected]", "url": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.js#L4-L7"}, {"source": "[email protected]", "url": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.js#L85-L105"}, {"source": "[email protected]", "url": "https://github.com/DIYgod/RSSHub/commit/a42947231104a9ec3436fc52cedb31740c9a7069"}, {"source": "[email protected]", "url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-3p3p-cgj7-vgw3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/m4/index.js#L10-L14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/DIYgod/RSSHub/blob/172f6cfd2b69ea6affdbdedf61e6dde1671f3796/lib/routes/zjol/paper.js#L7-L13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/acct.js#L4-L7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/DIYgod/RSSHub/blob/5928c5db2472e101c2f5c3bafed77a2f72edd40a/lib/routes/mastodon/utils.js#L85-L105"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/DIYgod/RSSHub/commit/a42947231104a9ec3436fc52cedb31740c9a7069"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/DIYgod/RSSHub/security/advisories/GHSA-3p3p-cgj7-vgw3"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "[email protected]", "type": "Secondary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object