{"containers": {"cna": {"affected": [{"product": "https://github.com/concrete5/concrete5", "vendor": "n/a", "versions": [{"status": "affected", "version": "Affected version Concrete CMS (concrete5) 8.5.6 and below. Fixed in Concrete CMS version 8.5.7 and 9.0.0"}]}], "descriptions": [{"lang": "en", "value": "Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS.Discoverer: Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )The Concrete CMS team gave this a CVSS 3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N . Please note that Cloud IAAS provider mis-configurations are not Concrete CMS vulnerabilities. A mitigation for this vulnerability is to make sure that the IMDS configurations are according to a cloud provider's best practices.This fix is also in Concrete version 9.0.0"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF) (CWE-918)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-19T18:08:30", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1369312"}, {"tags": ["x_refsource_MISC"], "url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2021-22969", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "https://github.com/concrete5/concrete5", "version": {"version_data": [{"version_value": "Affected version Concrete CMS (concrete5) 8.5.6 and below. Fixed in Concrete CMS version 8.5.7 and 9.0.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS.Discoverer: Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )The Concrete CMS team gave this a CVSS 3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N . Please note that Cloud IAAS provider mis-configurations are not Concrete CMS vulnerabilities. A mitigation for this vulnerability is to make sure that the IMDS configurations are according to a cloud provider's best practices.This fix is also in Concrete version 9.0.0"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Server-Side Request Forgery (SSRF) (CWE-918)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/1369312", "refsource": "MISC", "url": "https://hackerone.com/reports/1369312"}, {"name": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes", "refsource": "MISC", "url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2021-22969", "datePublished": "2021-11-19T18:08:30", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2021-11-19T18:08:30", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "2B7FD65C-EFA6-40A6-9698-FFEDD4846EE1", "versionEndExcluding": "8.5.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS.Discoverer: Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )The Concrete CMS team gave this a CVSS 3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N . Please note that Cloud IAAS provider mis-configurations are not Concrete CMS vulnerabilities. A mitigation for this vulnerability is to make sure that the IMDS configurations are according to a cloud provider's best practices.This fix is also in Concrete version 9.0.0"}, {"lang": "es", "value": "Concrete CMS (antes concrete5) versiones anteriores a 8.5.7, presentan una omisi\u00f3n de mitigaci\u00f3n de tipo SSRF usando un ataque DNS Rebind dando a un atacante la capacidad de conseguir claves IAM en la nube IAAS (ex AWS). Para corregir esto Concrete CMS ya no permite descargas desde la red local y especifica la IP comprobada cuando descarga en lugar de confiar en DNS.Discoverer: Adrian Tiron de FORTBRIDGE ( https://www.fortbridge.co.uk/ ).El equipo de Concrete CMS dio a esto una puntuaci\u00f3n CVSS 3.1 de 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N . Por favor, tenga en cuenta que los errores de configuraci\u00f3n de los proveedores de Cloud IAAS no son vulnerabilidades concretas de CMS. Una mitigaci\u00f3n para esta vulnerabilidad es asegurarse de que las configuraciones de IMDS est\u00e1n de acuerdo con las mejores pr\u00e1cticas del proveedor de la nube. Esta correcci\u00f3n tambi\u00e9n est\u00e1 en Concrete versi\u00f3n 9.0.0"}], "id": "CVE-2021-22969", "lastModified": "2021-11-23T13:35:11.350", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-19T19:15:08.507", "references": [{"source": "support@hackerone.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes"}, {"source": "support@hackerone.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/1369312"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{}