Login Sign Up

CVE-2021-40809

8.8 HIGH
Authentication Bypass SSRF

📋 TL;DR

CVE-2021-40809 is a Server-Side Request Forgery (SSRF) vulnerability in Jamf Pro that allows attackers to make unauthorized requests from the server to internal systems. This affects Jamf Pro deployments before version 10.32.0, potentially exposing internal networks and services to attackers who can interact with the authentication workflows.

💻 Affected Systems

Products:
  • Jamf Pro
Versions: All versions before 10.32.0
Operating Systems: All platforms running Jamf Pro
Default Config Vulnerable: ⚠️ Yes
Notes: Affects deployments using specific sign-on workflows. The vulnerability is present in the default configuration.

📦 What is this software?

Jamf by Jamf

View all CVEs affecting Jamf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal systems, steal sensitive data, pivot to other network resources, or execute commands on internal servers via SSRF chaining.

🟠

Likely Case

Unauthorized access to internal HTTP services, metadata services (like AWS/Azure instance metadata), or internal APIs leading to information disclosure.

🟢

If Mitigated

Limited to unsuccessful SSRF attempts with proper network segmentation and egress filtering in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires interaction with authentication workflows but is well-documented in public blogs. The SSRF technique is mature and commonly weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.32.0

Vendor Advisory: https://docs.jamf.com/10.32.0/jamf-pro/release-notes/Resolved_Issues.html

Restart Required: Yes

Instructions:

1. Backup your Jamf Pro database and configuration. 2. Download Jamf Pro 10.32.0 or later from the Jamf Customer Center. 3. Follow the Jamf Pro upgrade documentation for your deployment type (on-premises or cloud). 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict outbound network access from Jamf Pro servers to only necessary internal services.

Authentication Workflow Restriction

all

Temporarily disable or restrict access to affected sign-on workflows if possible.

🧯 If You Can't Patch

  • Implement strict egress filtering on Jamf Pro servers to block unauthorized outbound requests
  • Monitor network traffic from Jamf Pro servers for unusual outbound connections to internal services

🔍 How to Verify

Check if Vulnerable:

Check Jamf Pro version in the web interface under Settings > Global Management > Jamf Pro Version

Check Version:

Check web interface or database for version information

Verify Fix Applied:

Confirm version is 10.32.0 or higher and test authentication workflows for SSRF behavior

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from Jamf Pro server
  • Authentication workflow errors or anomalies

Network Indicators:

  • Jamf Pro server making requests to internal services not normally accessed
  • HTTP requests to metadata services (169.254.169.254, etc.)

SIEM Query:

source="jamf-pro" AND (http_outbound OR metadata_request OR internal_service_access)

📊 Metadata

CVE ID: CVE-2021-40809
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-918
Published: December 1, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40809, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)