Описание
Mobile Security Framework (MobSF) vulnerable to SSRF in firebase database check
Impact
What kind of vulnerability is it? Who is impacted? SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When malicious app is uploaded to Static analyzer, it is possible to make internal requests.
Credits: Oleg Surnin (Positive Technologies).
Patches
Has the problem been patched? What versions should users upgrade to? v3.9.8 and above
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading? Code level patch
References
Are there any links users can visit to find out more? https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373
Ссылки
- https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx
- https://nvd.nist.gov/vuln/detail/CVE-2024-31215
- https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373
- https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716
Пакеты
mobsf
<= 3.9.7
3.9.8
Связанные уязвимости
Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.
Уязвимость компонента Firebase Database Check фреймворка для исследования безопасности мобильных приложений Mobile Security Framework (MobSF), позволяющая нарушителю выполнить SSRF-атаку