CVE-2023-46725 – FoodCoopShop versions 3.2.0 through 3.6.0 conta... (How to Fix)

Q: What is the severity of CVE-2023-46725?

CVE-2023-46725 has a CVSS score of 8.1 (HIGH). FoodCoopShop versions 3.2.0 through 3.6.0 contain a server-side request forgery (SSRF) vulnerability in the Network module. Manufacturer accounts can exploit the /api/updateProducts.json endpoint to make the server send requests to arbitrary internal or external hosts, potentially accessing internal network resources. The vulnerability also includes a time-of-check-time-of-use flaw in image validation that enables full SSRF attacks.

📋 TL;DR

FoodCoopShop versions 3.2.0 through 3.6.0 contain a server-side request forgery (SSRF) vulnerability in the Network module. Manufacturer accounts can exploit the /api/updateProducts.json endpoint to make the server send requests to arbitrary internal or external hosts, potentially accessing internal network resources. The vulnerability also includes a time-of-check-time-of-use flaw in image validation that enables full SSRF attacks.

💻 Affected Systems

Products:

FoodCoopShop

Versions: 3.2.0 through 3.6.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires manufacturer account access to exploit. The Network module must be enabled.

📦 What is this software?

Foodcoopshop by Foodcoopshop

View all CVEs affecting Foodcoopshop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could use the vulnerable server as a proxy to scan and attack internal network resources, access sensitive internal systems, or exfiltrate data from internal services.

🟠

Likely Case

Manufacturer accounts could access internal network resources, potentially compromising other systems on the same network segment as the FoodCoopShop server.

🟢

If Mitigated

With proper network segmentation and egress filtering, the impact would be limited to the server itself and any directly accessible resources.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires manufacturer account credentials and understanding of SSRF techniques. Public exploit details are available in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.1

Vendor Advisory: https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7

Restart Required: Yes

Instructions:

1. Backup your current installation and database. 2. Download FoodCoopShop version 3.6.1 or later from the official repository. 3. Replace the existing installation files with the new version. 4. Run any database migrations if required. 5. Restart the web server service.

🔧 Temporary Workarounds

Disable Network Module

all

Temporarily disable the Network module to prevent exploitation via the vulnerable endpoint.

# Edit FoodCoopShop configuration to disable Network module
# Consult FoodCoopShop documentation for module management

Restrict Manufacturer Account Access

all

Temporarily disable or restrict manufacturer accounts until patching is complete.

# Use FoodCoopShop admin interface to disable manufacturer accounts
# Or modify database directly to deactivate manufacturer users

🧯 If You Can't Patch

Implement strict network egress filtering to prevent the server from making outbound requests to internal network resources.
Deploy a web application firewall (WAF) with SSRF protection rules to block malicious requests to the /api/updateProducts.json endpoint.

🔍 How to Verify

Check if Vulnerable:

Check FoodCoopShop version in admin interface or by examining the application files. If version is between 3.2.0 and 3.6.0 inclusive, the system is vulnerable.

Check Version:

# Check version in FoodCoopShop admin dashboard or examine config/app.php file

Verify Fix Applied:

Verify the version is 3.6.1 or higher. Test the /api/updateProducts.json endpoint with manufacturer credentials to ensure it no longer accepts arbitrary URLs.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /api/updateProducts.json with external or internal IP addresses in parameters
Multiple HEAD/GET requests from the server to unusual destinations

Network Indicators:

Outbound HTTP requests from the FoodCoopShop server to internal network IP ranges
Unusual traffic patterns from the server to external domains

SIEM Query:

source="foodcoopshop_logs" AND (uri_path="/api/updateProducts.json" AND (url_parameter CONTAINS "http://" OR url_parameter CONTAINS "https://"))

📊 Metadata

CVE ID: CVE-2023-46725

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-918

Published: November 2, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808 Patch
https://github.com/foodcoopshop/foodcoopshop/pull/972 Patch
https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7 Vendor Advisory
https://pastebin.com/8K5Brwbq Not Applicable
https://github.com/foodcoopshop/foodcoopshop/commit/0d5bec5c4c22e1affe7fd321a30e3f3a4d99e808 Patch
https://github.com/foodcoopshop/foodcoopshop/pull/972 Patch
https://github.com/foodcoopshop/foodcoopshop/security/advisories/GHSA-jhww-fx2j-3rf7 Vendor Advisory
https://pastebin.com/8K5Brwbq Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46725, you might also want to check these: