CVE-2024-22205

CVSS V2 None CVSS V3 None

Description

Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `window` endpoint does not sanitize user-supplied input from the `location` variable and passes it to the `send` method which sends a `GET` request on lines 339-343 in `request.py,` which leads to a server-side request forgery. This issue allows for crafting GET requests to internal and external resources on behalf of the server. For example, this issue would allow for accessing resources on the internal network that the server has access to, even though these resources may not be accessible on the internet. This issue is fixed in version 0.8.4.

Overview

CVE ID
CVE-2024-22205

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-01-23T17:21:40.982Z

Last Modified Date
2024-01-23T17:21:40.982Z

Weakness Enumerations

CWE	URL
CWE-918	http://cwe.mitre.org/data/definitions/918.html

References

Reference URL	Reference Tags
https://securitylab.github.com/advisories/GHSL-2023-186_GHSL-2023-189_benbusby_whoogle-search/	x_refsource_CONFIRM
https://github.com/benbusby/whoogle-search/commit/3a2e0b262e4a076a20416b45e6b6f23fd265aeda	x_refsource_MISC
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/request.py#L339-L343	x_refsource_MISC
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L479	x_refsource_MISC
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L496-L557	x_refsource_MISC
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L497	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-22205
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22205

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 09:10:11				Added to TrackCVE