CVE-2022-43140 PoC — kkFileView 代码问题漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-43140.yaml

Associated Vulnerability

Title:kkFileView 代码问题漏洞 (CVE-2022-43140)
Description:Keking kkFileView是中国凯京科技（Keking）公司的一个 Spring-Boot 打造文件文档在线预览项目。 kkFileView v4.1.0版本存在安全漏洞，该漏洞源于组件cn.keking.web.controller.OnlinePreviewController#getCorsFile包含服务器端请求伪造(SSRF)，允许攻击者通过将精心制作的URL注入url参数来强制应用程序发出任意请求。

Description

kkFileView 4.1.0 is susceptible to server-side request forgery via the component cn.keking.web.controller.OnlinePreviewController#getCorsFile. An attacker can force the application to make arbitrary requests via injection of crafted URLs into the url parameter and thereby potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.

File Snapshot


 id: CVE-2022-43140

info:
  name: kkFileView 4.1.0 - Server-Side Request Forgery
  author: Co5mos
  

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!