Login Sign Up

CVE-2024-22205

9.1 CRITICAL
SSRF

📋 TL;DR

This vulnerability in Whoogle Search allows attackers to perform server-side request forgery (SSRF) by exploiting unsanitized user input in the 'window' endpoint. Attackers can craft requests to access internal network resources or external systems that the server can reach. All users running Whoogle Search versions 0.8.3 and earlier are affected.

💻 Affected Systems

Products:
  • Whoogle Search
Versions: 0.8.3 and prior
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with the vulnerable endpoint accessible are affected regardless of configuration.

📦 What is this software?

Whoogle Search by Benbusby

View all CVEs affecting Whoogle Search →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal network resources, data exfiltration, or using the server as a proxy for attacks against other systems.

🟠

Likely Case

Unauthorized access to internal services, metadata harvesting, or scanning of internal network resources.

🟢

If Mitigated

Limited to accessing only allowed external resources if proper input validation and network segmentation are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is straightforward to exploit with basic HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.4

Vendor Advisory: https://github.com/benbusby/whoogle-search/commit/3a2e0b262e4a076a20416b45e6b6f23fd265aeda

Restart Required: Yes

Instructions:

1. Update Whoogle Search to version 0.8.4 or later. 2. Restart the Whoogle Search service. 3. Verify the update by checking the version.

🔧 Temporary Workarounds

Disable vulnerable endpoint

all

Remove or block access to the '/window' endpoint that contains the vulnerability.

Modify app/routes.py to comment out or remove the vulnerable route

Network segmentation

all

Restrict Whoogle Search server's network access to only required external resources.

Configure firewall rules to limit outbound connections from the Whoogle server

🧯 If You Can't Patch

  • Implement strict network segmentation to limit the server's access to internal resources.
  • Deploy a web application firewall (WAF) with SSRF protection rules.

🔍 How to Verify

Check if Vulnerable:

Check if Whoogle Search version is 0.8.3 or earlier and if the '/window' endpoint is accessible.

Check Version:

Check the Whoogle Search interface or configuration files for version information.

Verify Fix Applied:

Confirm version is 0.8.4 or later and test that SSRF attempts via the '/window' endpoint are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual requests to the '/window' endpoint with crafted 'location' parameters
  • Outbound requests from Whoogle server to internal IP addresses or unusual domains

Network Indicators:

  • Whoogle server making unexpected HTTP requests to internal network ranges
  • Traffic patterns suggesting the server is being used as a proxy

SIEM Query:

source="whoogle.log" AND (uri_path="/window" AND location=*) OR (src_ip="whoogle_server_ip" AND dst_ip="internal_range")

📊 Metadata

CVE ID: CVE-2024-22205
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-918
Published: January 23, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22205, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)