CVE-2024-33449
📋 TL;DR
This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal systems, potentially accessing sensitive data or executing code on those systems. Any organization using the vulnerable PDFMyURL service is affected, particularly those with internal services accessible from the PDFMyURL server.
💻 Affected Systems
- PDFMyURL
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise leading to data exfiltration, lateral movement to internal networks, and complete system takeover.
Likely Case
Information disclosure from internal services, potential access to cloud metadata, and limited internal network reconnaissance.
If Mitigated
Limited to port scanning of internal services if proper network segmentation and egress filtering are implemented.
🎯 Exploit Status
Exploitation requires only a crafted POST request to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest version from vendor
Vendor Advisory: https://pdfmyurl.com/
Restart Required: Yes
Instructions:
1. Check current PDFMyURL version
2. Update to latest version from vendor
3. Restart the PDFMyURL service
4. Verify the fix is applied
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict URL validation to block internal IP addresses and localhost references
Implement regex filter: ^(?!https?://(?:localhost|127\.0\.0\.1|10\.|172\.(?:1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)).*$
Network Egress Filtering
linuxConfigure firewall to restrict PDFMyURL server outbound connections to only necessary external services
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -j DROP
🧯 If You Can't Patch
- Isolate PDFMyURL server in a DMZ with strict outbound filtering
- Implement WAF rules to block SSRF patterns in POST requests
🔍 How to Verify
Check if Vulnerable:
Send POST request with url parameter set to http://localhost:80 and check if server respondsCheck Version:
Check service documentation or contact vendor for version informationVerify Fix Applied:
Attempt same SSRF test and verify requests to internal addresses are blocked📡 Detection & Monitoring
Log Indicators:
- POST requests with unusual URL patterns
- Outbound connections from PDFMyURL to internal IP ranges
- Error logs showing connection failures to localhost/private IPs
Network Indicators:
- Unusual outbound traffic from PDFMyURL server to internal networks
- PDFMyURL server making requests to metadata services (169.254.169.254)
SIEM Query:
source="pdfmyurl" AND (url="*localhost*" OR url="*127.0.0.1*" OR url="*10.*" OR url="*192.168.*" OR url="*172.16-31.*")