SYM_PY_0211 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Server-Side Request Forgery (SSRF)
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) |
| OWASP | A10:2021 - Server-Side Request Forgery (SSRF) |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Medium |
Description
User-supplied input from the HTTP request is being used directly to construct URLs for server-side requests with urllib without validation. This lets attackers control the destination of backend requests, which is unsafe.
Impact
An attacker could make your server send requests to internal services or sensitive resources, potentially accessing private data or performing actions on behalf of your server. This could lead to data leaks, unauthorized access to infrastructure, or be leveraged to further compromise your environment.