目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-918 服务端请求伪造(SSRF) 类漏洞列表 1659

CWE-918 服务端请求伪造(SSRF) 类弱点 1659 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-918 服务端请求伪造(SSRF)是一种允许攻击者诱导服务器发起恶意请求的漏洞。当服务器接收外部提供的 URL 并据此获取内容时,若未严格校验目标地址,攻击者可构造请求访问内网资源或探测内部服务,从而绕过防火墙限制。开发者应实施严格的白名单机制,限制协议类型,禁用重定向,并对所有输入进行深度验证,确保请求仅能访问预期的合法外部资源,从而有效防御此类攻击。

MITRE CWE 官方描述
CWE:CWE-918 Server-Side Request Forgery (SSRF) 英文:Web 服务器从上游组件接收 URL 或类似请求,并检索该 URL 的内容,但未充分确保该请求被发送至预期的目的地。
常见影响 (3)
ConfidentialityRead Application Data
IntegrityExecute Unauthorized Code or Commands
Access ControlBypass Protection Mechanism
By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly. The server can be used as a proxy to conduct port scanning of hosts i…
代码示例 (1)
This code intends to receive a URL from a user, access the URL, and return the results to the user.
$url = $_GET['url']; # User-controlled input # Fetch the content of the provided URL $response = file_get_contents($url); echo $response;
Bad · PHP
# Define allowed URLs (or domains) $allowed_urls = [ 'https://example.com/data.json', 'https://api.example.com/info', ]; # Get the user-provided URL $url = $_GET['url'] ?? ''; # Validate against allowed URLs if (!in_array($url, $allowed_urls)) { http_response_code(400); echo "Invalid or unauthorized URL."; exit; } # Fetch content safely $response = @file_get_contents($url); if ($response === false) { http_response_code(500); echo "Failed to fetch content."; exit; } echo htmlspecialchars($response); # Escape output for safety
Good · PHP
CVE ID标题CVSS风险等级Published
CVE-2021-24150 WordPress Like Button Rating 代码问题漏洞 — Like Button Rating ♥ LikeBtn 7.5 -2021-04-05
CVE-2021-22696 Apache CXF 代码问题漏洞 — Apache CXF 9.1 -2021-04-02
CVE-2020-12529 MB CONNECT LINE mymbCONNECT24e 代码问题漏洞 — mymbCONNECT24 5.8 Medium2021-03-02
CVE-2021-21311 SOURCEFORGE Adminer 代码问题漏洞 — adminer 7.2 High2021-02-11
CVE-2021-21288 CarrierWave 代码问题漏洞 — carrierwave 4.3 Medium2021-02-08
CVE-2021-21287 Minio MinIO 代码问题漏洞 — minio 7.7 High2021-02-01
CVE-2021-1272 Cisco Data Center Network Manager 代码问题漏洞 — Cisco Data Center Network Manager 8.8 High2021-01-20
CVE-2021-21009 Adobe Campaign Classic 代码问题漏洞 — Campaign 8.6 High2021-01-13
CVE-2020-26258 XStream 代码问题漏洞 — xstream 6.3 Medium2020-12-16
CVE-2020-10770 红帽 Red Hat Keycloak 代码问题漏洞 — keycloak 5.3 -2020-12-15
CVE-2020-17513 Apache Airflow 代码问题漏洞 — Apache Airflow 5.3 -2020-12-14
CVE-2020-24444 Adobe Experience Manager 代码问题漏洞 — Experience Manager 5.8 Medium2020-12-10
CVE-2020-7329 McAfee MVISION Endpoint 代码问题漏洞 — MVISION Endpoint ePO extension 7.2 High2020-11-11
CVE-2020-7328 McAfee MVISION Endpoint 代码问题漏洞 — MVISION Endpoint ePO extension 7.2 High2020-11-11
CVE-2020-15297 Bitdefender Endpoint Security Tool 代码问题漏洞 — Bitdefender Update Server 7.1 High2020-11-09
CVE-2020-17386 Cellopoint Cellos 安全漏洞 — CelloOS 6.5 Medium2020-08-25
CVE-2020-15152 ftp-srv 代码问题漏洞 — ftp-srv 9.1 Critical2020-08-17
CVE-2020-8205 uppy npm package 代码问题漏洞 — uppy 7.5 -2020-07-20
CVE-2020-8555 Kubernetes 代码问题漏洞 — Kubernetes 6.3 Medium2020-06-04
CVE-2020-8138 Nextcloud server 代码问题漏洞 — Nextcloud Server 7.5 -2020-03-20
CVE-2020-8134 Ghost CMS 代码问题漏洞 — Ghost 7.5 -2020-03-20
CVE-2020-8135 uppy npm package 代码问题漏洞 — uppy 7.5 -2020-03-20
CVE-2020-8118 Nextcloud 代码问题漏洞 — Nextcloud Server 7.7 -2020-02-04
CVE-2019-6837 多款Schneider Electric产品代码问题漏洞 — U.motion Server 9.1 -2019-09-17
CVE-2019-11897 ProSyst mBS SDK和Bosch IoT Gateway 代码问题漏洞 — IoT Gateway Software 7.5 -2019-08-21
CVE-2019-7616 Elasticsearch Kibana 代码问题漏洞 — Kibana 4.9 -2019-07-30
CVE-2019-1872 Cisco Expressway Series和Cisco TelePresence Video Communication Server 代码问题漏洞 — Cisco TelePresence Video Communication Server (VCS) 5.3 -2019-06-05
CVE-2019-1679 Cisco TelePresence Conductor、Expressway Series和TelePresence VCS 代码问题漏洞 — Cisco TelePresence Conductor 5.0 -2019-02-07
CVE-2018-7516 Geutebrück G-Cam/EFD-2250和Topline TopFD-2125 安全漏洞 — Geutebrück G-Cam/EFD-2250 (part n° 5.02024) firmware and Topline TopFD-2125 (part n° 5.02820) firmware 7.3 -2018-03-22
CVE-2017-18036 Atlassian Bitbucket Server Github repository importer 安全漏洞 — Bitbucket Server 4.3 -2018-02-02

CWE-918(服务端请求伪造(SSRF)) 是常见的弱点类别,本平台收录该类弱点关联的 1659 条 CVE 漏洞。