CVE-2021-4075 – CVE-2021-4075 is a Server-Side Request Forgery ... (How to Fix)

Q: What is the severity of CVE-2021-4075?

CVE-2021-4075 has a CVSS score of 7.2 (HIGH). CVE-2021-4075 is a Server-Side Request Forgery (SSRF) vulnerability in Snipe-IT that allows attackers to make the application send unauthorized requests to internal systems. This could lead to information disclosure or further attacks against internal infrastructure. All Snipe-IT installations using vulnerable versions are affected.

📋 TL;DR

CVE-2021-4075 is a Server-Side Request Forgery (SSRF) vulnerability in Snipe-IT that allows attackers to make the application send unauthorized requests to internal systems. This could lead to information disclosure or further attacks against internal infrastructure. All Snipe-IT installations using vulnerable versions are affected.

💻 Affected Systems

Products:

Snipe-IT

Versions: Versions before commit 4612b9e711b3ff5d2bcddbec5b18866d25f8e34e

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The vulnerability exists in the application's URL validation logic.

📦 What is this software?

Snipe It by Snipeitapp

View all CVEs affecting Snipe It →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, or pivot to attack other internal systems through the compromised Snipe-IT instance.

🟠

Likely Case

Information disclosure from internal services, potential access to metadata services, or scanning of internal network segments.

🟢

If Mitigated

Limited impact if network segmentation restricts Snipe-IT's outbound connections and internal services are properly secured.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access. The vulnerability is in the asset import functionality where URL validation is insufficient.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 4612b9e711b3ff5d2bcddbec5b18866d25f8e34e and later versions

Vendor Advisory: https://github.com/snipe/snipe-it/commit/4612b9e711b3ff5d2bcddbec5b18866d25f8e34e

Restart Required: No

Instructions:

1. Update Snipe-IT to the latest version or at least commit 4612b9e711b3ff5d2bcddbec5b18866d25f8e34e. 2. Apply the patch that improves URL validation in the asset import functionality. 3. Verify the fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Disable Asset Import Feature

all

Temporarily disable the asset import functionality that contains the vulnerable URL validation.

Network Segmentation

linux

Restrict Snipe-IT's outbound network access to only necessary external services.

iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement strict network egress filtering to prevent Snipe-IT from accessing internal services
Monitor and audit all outbound HTTP requests from the Snipe-IT application

🔍 How to Verify

Check if Vulnerable:

Check if your Snipe-IT version is before commit 4612b9e711b3ff5d2bcddbec5b18866d25f8e34e. Test the asset import functionality with SSRF payloads.

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify the commit hash includes 4612b9e711b3ff5d2bcddbec5b18866d25f8e34e. Test that SSRF payloads in asset import are now properly rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from Snipe-IT to internal IP addresses
Multiple failed asset import attempts with unusual URLs

Network Indicators:

HTTP requests from Snipe-IT server to internal services (169.254.169.254, 10.x, 192.168.x, etc.)
Unusual traffic patterns from Snipe-IT to non-standard ports

SIEM Query:

source="snipe-it-logs" AND (url CONTAINS "169.254.169.254" OR url CONTAINS "10." OR url CONTAINS "192.168.")

📊 Metadata

CVE ID: CVE-2021-4075

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-918

Published: December 6, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/snipe/snipe-it/commit/4612b9e711b3ff5d2bcddbec5b18866d25f8e34e Patch,Third Party Advisory
https://huntr.dev/bounties/4386fd8b-8c80-42bb-87b8-b506c46597de Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/snipe/snipe-it/commit/4612b9e711b3ff5d2bcddbec5b18866d25f8e34e Patch,Third Party Advisory
https://huntr.dev/bounties/4386fd8b-8c80-42bb-87b8-b506c46597de Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-4075, you might also want to check these: