CVE-2024-31215 (GCVE-0-2024-31215)

Vulnerability from cvelistv5 – Published: 2024-04-04 16:10 – Updated: 2024-08-02 01:46
VLAI?
Summary
Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.
Severity ?
6.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
Vendor Product Version
MobSF Mobile-Security-Framework-MobSF Affected: <= 3.9.7
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-31215",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-09T16:01:30.374998Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:36:55.369Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:46:04.599Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx"
          },
          {
            "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373"
          },
          {
            "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Mobile-Security-Framework-MobSF",
          "vendor": "MobSF",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 3.9.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile.\nA SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization\u2019s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-04T16:10:18.954Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx"
        },
        {
          "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373"
        },
        {
          "name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716"
        }
      ],
      "source": {
        "advisory": "GHSA-wpff-wm84-x5cx",
        "discovery": "UNKNOWN"
      },
      "title": "Mobile Security Framework (MobSF) vulnerable to Server-Side Request Forgery (SSRF) in firebase database check"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-31215",
    "datePublished": "2024-04-04T16:10:18.954Z",
    "dateReserved": "2024-03-29T14:16:31.901Z",
    "dateUpdated": "2024-08-02T01:46:04.599Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile.\\nA SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization\\u2019s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.\\n\"}, {\"lang\": \"es\", \"value\": \"Mobile Security Framework (MobSF) es una plataforma de investigaci\\u00f3n de seguridad para aplicaciones m\\u00f3viles en Android, iOS y Windows Mobile. Una vulnerabilidad SSRF en la l\\u00f3gica de verificaci\\u00f3n de la base de datos de Firebase. El atacante puede hacer que el servidor establezca una conexi\\u00f3n con servicios exclusivamente internos dentro de la infraestructura de la organizaci\\u00f3n. Cuando se carga una aplicaci\\u00f3n maliciosa en el analizador est\\u00e1tico, es posible realizar solicitudes internas. Esta vulnerabilidad ha sido parcheada en la versi\\u00f3n 3.9.8.\"}]",
      "id": "CVE-2024-31215",
      "lastModified": "2024-11-21T09:13:03.530",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.4}]}",
      "published": "2024-04-04T16:15:09.787",
      "references": "[{\"url\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-918\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-31215\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-04-04T16:15:09.787\",\"lastModified\":\"2025-06-30T13:04:19.583\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile.\\nA SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization\u2019s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.\\n\"},{\"lang\":\"es\",\"value\":\"Mobile Security Framework (MobSF) es una plataforma de investigaci\u00f3n de seguridad para aplicaciones m\u00f3viles en Android, iOS y Windows Mobile. Una vulnerabilidad SSRF en la l\u00f3gica de verificaci\u00f3n de la base de datos de Firebase. El atacante puede hacer que el servidor establezca una conexi\u00f3n con servicios exclusivamente internos dentro de la infraestructura de la organizaci\u00f3n. Cuando se carga una aplicaci\u00f3n maliciosa en el analizador est\u00e1tico, es posible realizar solicitudes internas. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 3.9.8.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.9.8\",\"matchCriteriaId\":\"66D2235C-C828-4EEB-8D92-B0F1CDF83F24\"}]}]}],\"references\":[{\"url\":\"https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Mobile Security Framework (MobSF) vulnerable to Server-Side Request Forgery (SSRF) in firebase database check\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-918\", \"lang\": \"en\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"LOW\", \"baseScore\": 6.3, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx\"}, {\"name\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373\"}, {\"name\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716\"}], \"affected\": [{\"vendor\": \"MobSF\", \"product\": \"Mobile-Security-Framework-MobSF\", \"versions\": [{\"version\": \"\u003c= 3.9.7\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-04-04T16:10:18.954Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile.\\nA SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization\\u2019s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.\\n\"}], \"source\": {\"advisory\": \"GHSA-wpff-wm84-x5cx\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-31215\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-04-09T16:01:30.374998Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:22.680Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-31215\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-03-29T14:16:31.901Z\", \"datePublished\": \"2024-04-04T16:10:18.954Z\", \"dateUpdated\": \"2024-06-04T17:36:55.369Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.