SYM_JAVA_0007 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Server-Side Request Forgery (SSRF)
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) |
| OWASP | A10:2021 - Server-Side Request Forgery (SSRF) |
| Confidence Level | Low |
| Impact Level | High |
| Likelihood Level | Low |
Description
User-controlled input is being passed directly into the Dispatch url function, allowing attackers to specify arbitrary URLs for server-side requests. This makes it possible for untrusted users to control where the server sends HTTP requests.
Impact
An attacker could use this to make your server access internal services or external malicious sites, potentially exposing sensitive data or enabling further attacks on internal infrastructure. They could also exfiltrate data or probe your network, leading to data breaches or service disruptions.