Login Sign Up

CVE-2020-23534

9.8 CRITICAL
SSRF

📋 TL;DR

This SSRF vulnerability in gopeak masterlab 2.1.5 allows attackers to make arbitrary HTTP requests from the vulnerable server via the 'source' parameter in Upgrade.php. Attackers can potentially access internal services, perform port scanning, or interact with cloud metadata APIs. Organizations running masterlab 2.1.5 with internet-facing instances are affected.

💻 Affected Systems

Products:
  • gopeak masterlab
Versions: 2.1.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to Upgrade.php endpoint, typically accessible during upgrade processes.

📦 What is this software?

Masterlab by Masterlab

View all CVEs affecting Masterlab →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via interaction with cloud metadata services (AWS/Azure/GCP) to obtain credentials, leading to lateral movement and data exfiltration.

🟠

Likely Case

Internal network reconnaissance, access to internal services, and potential data leakage from internal APIs.

🟢

If Mitigated

Limited to port scanning and basic network discovery if proper network segmentation and egress filtering are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP request manipulation required. GitHub issue includes proof-of-concept details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.1.5

Vendor Advisory: https://github.com/gopeak/masterlab/issues/254

Restart Required: No

Instructions:

1. Upgrade to latest masterlab version. 2. Verify Upgrade.php no longer accepts arbitrary URLs in 'source' parameter. 3. Test upgrade functionality.

🔧 Temporary Workarounds

Block Upgrade.php Access

all

Restrict access to Upgrade.php endpoint via web server configuration

# Apache: RewriteRule ^Upgrade\.php$ - [F]
# Nginx: location ~ /Upgrade\.php$ { deny all; }

Input Validation

all

Add validation to only allow specific, trusted sources for upgrades

# Modify Upgrade.php to validate 'source' parameter against whitelist

🧯 If You Can't Patch

  • Implement strict network egress filtering to block outbound requests from web servers
  • Deploy WAF rules to detect and block SSRF patterns in requests to Upgrade.php

🔍 How to Verify

Check if Vulnerable:

Attempt to access Upgrade.php with crafted 'source' parameter pointing to internal service or external validation service like burpcollaborator.net

Check Version:

Check masterlab version in admin panel or via package manager

Verify Fix Applied:

Test that Upgrade.php rejects arbitrary URLs and only accepts validated upgrade sources

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from web server
  • Requests to Upgrade.php with unusual 'source' parameters
  • Access to internal IP addresses from web server

Network Indicators:

  • Web server making unexpected outbound HTTP requests
  • Requests to cloud metadata endpoints from web server

SIEM Query:

source="web_server_logs" AND uri="/Upgrade.php" AND (source_param CONTAINS "http://" OR source_param CONTAINS "https://")

📊 Metadata

CVE ID: CVE-2020-23534
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-918
Published: February 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-23534, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)