CVE-2024-41668
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in cBioPortal's proxy endpoint. Unauthenticated attackers can exploit publicly exposed instances, while authenticated users can exploit private instances. The vulnerability allows attackers to make arbitrary HTTP requests from the server, potentially accessing internal resources.
💻 Affected Systems
- cBioPortal for Cancer Genomics
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data, or pivot to internal networks by making the server request internal resources like metadata services, databases, or cloud instance metadata.
Likely Case
Information disclosure from internal services, scanning of internal networks, or accessing cloud metadata to obtain credentials.
If Mitigated
Limited impact with proper network segmentation and authentication controls in place.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited. The advisory includes technical details that could facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.0.12
Vendor Advisory: https://github.com/cBioPortal/cbioportal/security/advisories/GHSA-9h44-r3c3-q7rm
Restart Required: Yes
Instructions:
1. Backup your current installation. 2. Update to version 6.0.12 using your deployment method (Docker, manual, etc.). 3. Restart the cBioPortal service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable proxy endpoint via nginx
allBlock access to the vulnerable /proxy endpoint using web server configuration
location /proxy { deny all; return 403; }
🧯 If You Can't Patch
- Implement strict network segmentation to limit the server's access to internal resources
- Add authentication requirements for all endpoints and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check if version is below 6.0.12 and the /proxy endpoint is accessible without authenticationCheck Version:
Check the application interface or deployment configuration for version informationVerify Fix Applied:
Confirm version is 6.0.12 or higher and test that /proxy endpoint returns appropriate error or requires authentication📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /proxy endpoint
- Outbound requests from server to internal IP ranges
- Multiple failed authentication attempts followed by proxy requests
Network Indicators:
- HTTP requests from server to internal services that don't normally communicate
- Traffic patterns suggesting internal network scanning
SIEM Query:
source_ip=server_ip AND (uri_path="/proxy" OR dest_ip IN internal_ranges)🔗 References
- https://github.com/cBioPortal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5
- https://github.com/cBioPortal/cbioportal/pull/10884
- https://github.com/cBioPortal/cbioportal/releases/tag/v6.0.12
- https://github.com/cBioPortal/cbioportal/security/advisories/GHSA-9h44-r3c3-q7rm
- https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2024-004
- https://github.com/cBioPortal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5
- https://github.com/cBioPortal/cbioportal/pull/10884
- https://github.com/cBioPortal/cbioportal/releases/tag/v6.0.12
- https://github.com/cBioPortal/cbioportal/security/advisories/GHSA-9h44-r3c3-q7rm
- https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2024-004
