CVE-2021-31950 – CVE-2021-31950 is a server-side request forgery... (How to Fix)

Q: What is the severity of CVE-2021-31950?

CVE-2021-31950 has a CVSS score of 7.6 (HIGH). CVE-2021-31950 is a server-side request forgery (SSRF) vulnerability in Microsoft SharePoint Server that allows authenticated attackers to send crafted requests from the SharePoint server to internal systems. This can lead to information disclosure, internal network scanning, or interaction with internal services. Organizations running vulnerable SharePoint Server versions are affected.

📋 TL;DR

CVE-2021-31950 is a server-side request forgery (SSRF) vulnerability in Microsoft SharePoint Server that allows authenticated attackers to send crafted requests from the SharePoint server to internal systems. This can lead to information disclosure, internal network scanning, or interaction with internal services. Organizations running vulnerable SharePoint Server versions are affected.

💻 Affected Systems

Products:

Microsoft SharePoint Server

Versions: Microsoft SharePoint Server 2019, 2016, 2013, and SharePoint Foundation 2013

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access. SharePoint Online is not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive internal systems, exfiltrate data, or use SharePoint as a pivot point to attack other internal resources.

🟠

Likely Case

Information disclosure from internal services, scanning of internal networks, or limited interaction with internal APIs.

🟢

If Mitigated

Limited to authenticated users only, with network segmentation preventing access to critical internal systems.

🌐 Internet-Facing: HIGH if SharePoint is internet-facing and accessible to authenticated attackers.

🏢 Internal Only: MEDIUM for internal SharePoint deployments accessible to malicious insiders or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access. Public proof-of-concept demonstrates SSRF capabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security updates released in June 2021. Check Microsoft advisory for specific KB numbers.

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31950

Restart Required: Yes

Instructions:

1. Apply the June 2021 security update for SharePoint Server. 2. Restart the SharePoint server. 3. Test functionality after patching.

🔧 Temporary Workarounds

Restrict network access

all

Implement network segmentation to limit SharePoint server outbound connections to only necessary internal services.

Enforce authentication requirements

windows

Ensure all SharePoint access requires authentication and implement strong access controls.

🧯 If You Can't Patch

Implement strict network segmentation to isolate SharePoint from sensitive internal systems
Monitor for unusual outbound connections from SharePoint servers

🔍 How to Verify

Check if Vulnerable:

Check SharePoint Server version and compare against patched versions in Microsoft advisory.

Check Version:

Get-SPFarm | Select BuildVersion (PowerShell) or check Central Administration > Upgrade and Migration > Check product and patch installation status

Verify Fix Applied:

Verify that June 2021 security updates are installed and test SSRF attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from SharePoint servers
Requests to internal IP ranges from SharePoint
Authentication logs showing suspicious user activity

Network Indicators:

SharePoint server making unexpected connections to internal services
HTTP requests to non-standard ports from SharePoint

SIEM Query:

source="sharepoint" AND (dest_ip=10.0.0.0/8 OR dest_ip=172.16.0.0/12 OR dest_ip=192.168.0.0/16) AND http_request

📊 Metadata

CVE ID: CVE-2021-31950

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CWE: CWE-918

Published: June 8, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163080/Microsoft-SharePoint-Server-16.0.10372.20060-Server-Side-Request-Forgery.html Exploit,Third Party Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31950 Patch,Vendor Advisory
http://packetstormsecurity.com/files/163080/Microsoft-SharePoint-Server-16.0.10372.20060-Server-Side-Request-Forgery.html Exploit,Third Party Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31950 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31950, you might also want to check these: