Server-side request forgery in Drupal 8.x
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-5385 |
| CWE-ID | CWE-918 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Drupal Web applications / CMS |
| Vendor | Drupal |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) SSRF in Guzzle library
EUVDB-ID: #VU346
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-5385
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on vulnerable system.
The vulnerability exists due to usage of third-party PHP library Guzzle for performing server-side HTTP requests. A remote attacker can use malicious server that returns a 301 HTTP redirect response to local resource to connect to services within internal network or on localhost.
Successful exploitation of this vulnerability may allow an attacker to perform SSRF attack to retrieve information for further attacks against vulnerable system by performing unauthorized connections to local resources, gain access to sensitive information and compromise vulnerable system.
Note: this vulnerability is being actively exploited in the wild and is referred as HTTPoxy.
MitigationInstall the latest Drupal version 8.1.7:
https://www.drupal.org/project/drupal/releases/8.1.7
Drupal: 8.0.0 - 8.1.6
External linkshttp://www.drupal.org/SA-CORE-2016-003
http://httpoxy.org/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
