CVE-2021-22970 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2021-22970?

CVE-2021-22970 has a CVSS score of 7.5 (HIGH). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Concrete CMS that allows authenticated users to make requests to internal network resources. Attackers can read files from local LAN servers and bypass SSRF mitigations via DNS rebinding. Affected systems include Concrete CMS versions 8.5.6 and below, and version 9.0.0.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Concrete CMS that allows authenticated users to make requests to internal network resources. Attackers can read files from local LAN servers and bypass SSRF mitigations via DNS rebinding. Affected systems include Concrete CMS versions 8.5.6 and below, and version 9.0.0.

💻 Affected Systems

Products:

Concrete CMS (formerly concrete5)

Versions: 8.5.6 and below, and version 9.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access (PR:L in CVSS). Concrete CMS maintained version 8.5.x until May 1, 2022 for security fixes.

📦 What is this software?

Concrete Cms by Concretecms

View all CVEs affecting Concrete Cms →

Concrete Cms by Concretecms

View all CVEs affecting Concrete Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers pivot within private networks to exploit internal applications, potentially leading to data exfiltration, lateral movement, and compromise of internal systems.

🟠

Likely Case

Unauthorized access to internal network resources and file reading from local servers, potentially exposing sensitive internal data.

🟢

If Mitigated

Limited impact with proper network segmentation and SSRF protections in place, restricting access to critical internal resources.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit details available via HackerOne reports. Requires authenticated access and knowledge of internal network resources.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5.7 and 9.0.1

Vendor Advisory: https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes

Restart Required: No

Instructions:

1. Backup your Concrete CMS installation and database. 2. Update to Concrete CMS version 8.5.7 or 9.0.1. 3. Verify the update completed successfully. 4. Test critical functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict Concrete CMS server's ability to communicate with internal network resources.

Input Validation

all

Implement strict URL validation and whitelist allowed domains for import functionality.

🧯 If You Can't Patch

Implement network-level restrictions to prevent Concrete CMS from accessing internal resources
Apply web application firewall rules to block SSRF patterns and restrict URL imports

🔍 How to Verify

Check if Vulnerable:

Check Concrete CMS version in admin panel or via version file. If version is 8.5.6 or below, or exactly 9.0.0, system is vulnerable.

Check Version:

Check /concrete/config/concrete.php or admin dashboard for version information.

Verify Fix Applied:

Verify version is 8.5.7 or higher (for 8.x) or 9.0.1 or higher (for 9.x). Test import functionality with internal URLs to confirm blocking.

📡 Detection & Monitoring

Log Indicators:

Unusual import requests to internal IP addresses
Multiple failed import attempts
Requests to private IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)

Network Indicators:

Outbound connections from Concrete CMS server to internal resources
DNS queries for internal hostnames from CMS server

SIEM Query:

source="concrete_cms" AND (url="*10.*" OR url="*172.16.*" OR url="*192.168.*")

📊 Metadata

CVE ID: CVE-2021-22970

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-918

Published: November 19, 2021

Last Updated: November 21, 2024

🔗 References

https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes Release Notes,Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/901-release-notes Release Notes,Vendor Advisory
https://hackerone.com/reports/1364797 Permissions Required
https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes Release Notes,Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/901-release-notes Release Notes,Vendor Advisory
https://hackerone.com/reports/1364797 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22970, you might also want to check these: