perfSONAR 4.4.4 Open Proxy / Relay
perfSONAR bundles with it a graphData.cgi script, used to graph and
visualize data. There is a flaw in graphData.cgi allowing for
unauthenticated users to proxy and relay HTTP/HTTPS traffic through the perfSONAR server. The vulnerability can potentially be leveraged to
exfiltrate or enumerate data from internal web servers. This vulnerability
was patched in perfSONAR version 4.4.5. Versions 4.x through 4.4.4 are affected. There is a whitelisting function that will mitigate, but is
disabled by default.
https://packetstormsecurity.com/files/170069/CVE-2022-41412.tgz
Wed, 30 Nov 2022 21:16:11 GMT
________________________________
--- The information is for inforamtional purposes only.
* Origin: Read us with
http://winpoint.org JID:
rs@captflint.com