CVE-2024-23336 - OpenCVE

MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list.

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

No data.

No data.

References

Link	Resource
https://docs.mybb.com/1.8/administration/configuration-file
https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630
https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h
https://mybb.com/versions/1.8.38

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-01T06:27:37.987Z

Updated: 2024-06-06T14:06:34.074Z

Reserved: 2024-01-15T15:19:19.443Z

Link: CVE-2024-23336

JSON object: View

NVD Information

Status : Awaiting Analysis

Published: 2024-05-01T07:15:38.660

Modified: 2024-05-01T13:01:51.263

Link: CVE-2024-23336

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23336", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.443Z", "datePublished": "2024-05-01T06:27:37.987Z", "dateUpdated": "2024-06-06T14:06:34.074Z"}, "containers": {"cna": {"title": "Incomplete disallowed remote addresses list in MyBB", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h"}, {"name": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630", "tags": ["x_refsource_MISC"], "url": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630"}, {"name": "https://docs.mybb.com/1.8/administration/configuration-file", "tags": ["x_refsource_MISC"], "url": "https://docs.mybb.com/1.8/administration/configuration-file"}, {"name": "https://mybb.com/versions/1.8.38", "tags": ["x_refsource_MISC"], "url": "https://mybb.com/versions/1.8.38"}], "affected": [{"vendor": "mybb", "product": "mybb", "versions": [{"version": "< 1.8.38", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-01T06:27:37.987Z"}, "descriptions": [{"lang": "en", "value": "MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list."}], "source": {"advisory": "GHSA-qfrj-65mv-h75h", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "mybb", "product": "mybb", "cpes": ["cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.8.38", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-05-01T13:48:54.371730Z", "id": "CVE-2024-23336", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T14:06:34.074Z"}}]}}

{"descriptions": [{"lang": "en", "value": "MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list."}, {"lang": "es", "value": "MyBB es un software de foro gratuito y de c\u00f3digo abierto. La lista predeterminada de hosts remotos no permitidos no contiene el bloque `127.0.0.0/8`, lo que puede provocar una vulnerabilidad de Server Side Request Forgery (SSRF). La lista de _Direcciones remotas no permitidas_ del archivo de configuraci\u00f3n (\"$config['disallowed_remote_addresses']`) contiene la direcci\u00f3n `127.0.0.1`, pero no incluye el bloque completo `127.0.0.0/8`. MyBB 1.8.38 resuelve este problema en las instalaciones predeterminadas. Los administradores de las placas instaladas deben actualizar la configuraci\u00f3n existente (`inc/config.php`) para incluir todas las direcciones bloqueadas de forma predeterminada. Adem\u00e1s, se recomienda a los usuarios que verifiquen que incluya otras direcciones IPv4 que se resuelvan en el servidor y otros recursos internos. Los usuarios que no puedan actualizar pueden agregar manualmente 127.0.0.0/8' a su lista de direcciones no permitidas."}], "id": "CVE-2024-23336", "lastModified": "2024-05-01T13:01:51.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-01T07:15:38.660", "references": [{"source": "security-advisories@github.com", "url": "https://docs.mybb.com/1.8/administration/configuration-file"}, {"source": "security-advisories@github.com", "url": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630"}, {"source": "security-advisories@github.com", "url": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h"}, {"source": "security-advisories@github.com", "url": "https://mybb.com/versions/1.8.38"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}