CVE-2024-22203 – This vulnerability allows attackers to perform ... (How to Fix)

Q: What is the severity of CVE-2024-22203?

CVE-2024-22203 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows attackers to perform server-side request forgery (SSRF) in Whoogle Search, enabling them to make unauthorized GET requests to internal and external resources from the server. Anyone running Whoogle Search versions before 0.8.4 is affected, particularly those with internet-facing instances or access to sensitive internal networks.

📋 TL;DR

This vulnerability allows attackers to perform server-side request forgery (SSRF) in Whoogle Search, enabling them to make unauthorized GET requests to internal and external resources from the server. Anyone running Whoogle Search versions before 0.8.4 is affected, particularly those with internet-facing instances or access to sensitive internal networks.

💻 Affected Systems

Products:

Whoogle Search

Versions: All versions prior to 0.8.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments are vulnerable by default as the vulnerable code is in core functionality.

📦 What is this software?

Whoogle Search by Benbusby

View all CVEs affecting Whoogle Search →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal network resources, data exfiltration from internal systems, and potential lateral movement to other systems accessible from the server.

🟠

Likely Case

Unauthorized access to internal services, metadata harvesting from cloud environments, and potential credential theft from internal APIs.

🟢

If Mitigated

Limited to external resource access only, with internal network segmentation preventing access to sensitive systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit with basic HTTP requests and requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.4

Vendor Advisory: https://github.com/benbusby/whoogle-search/releases/tag/v0.8.4

Restart Required: Yes

Instructions:

1. Stop the Whoogle Search service. 2. Update to version 0.8.4 using pip: 'pip install whoogle-search==0.8.4'. 3. Restart the service.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict outbound network access from the Whoogle Search server to only necessary external resources.

Input Validation

all

Add URL validation to reject non-whitelisted domains in the element endpoint.

🧯 If You Can't Patch

Implement strict network egress filtering to block requests to internal IP ranges and sensitive domains.
Deploy a web application firewall (WAF) with SSRF protection rules to block malicious requests.

🔍 How to Verify

Check if Vulnerable:

Check if the 'element' endpoint accepts arbitrary URLs without validation by testing with internal IP addresses.

Check Version:

pip show whoogle-search | grep Version

Verify Fix Applied:

Test that the 'element' endpoint now validates URLs and rejects requests to internal resources.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound requests from Whoogle server to internal IPs
Requests to metadata endpoints (169.254.169.254, etc.)

Network Indicators:

Unexpected outbound HTTP traffic from Whoogle server to internal networks
Requests to cloud metadata services

SIEM Query:

source="whoogle.log" AND (dst_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254) OR url CONTAINS "element")

📊 Metadata

CVE ID: CVE-2024-22203

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-918

Published: January 23, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22203, you might also want to check these: