Moderate severity vulnerability was found in composer concrete5/core (composer) .

Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS.Discoverer.

References


Courtesy:https://github.com/advisories/GHSA-mcxr-fx5f-96qq

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *