CVE-2024-23336

Incomplete disallowed remote addresses list in MyBB

Severity Score

5.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list.

MyBB es un software de foro gratuito y de código abierto. La lista predeterminada de hosts remotos no permitidos no contiene el bloque `127.0.0.0/8`, lo que puede provocar una vulnerabilidad de Server Side Request Forgery (SSRF). La lista de _Direcciones remotas no permitidas_ del archivo de configuración ("$config['disallowed_remote_addresses']`) contiene la dirección `127.0.0.1`, pero no incluye el bloque completo `127.0.0.0/8`. MyBB 1.8.38 resuelve este problema en las instalaciones predeterminadas. Los administradores de las placas instaladas deben actualizar la configuración existente (`inc/config.php`) para incluir todas las direcciones bloqueadas de forma predeterminada. Además, se recomienda a los usuarios que verifiquen que incluya otras direcciones IPv4 que se resuelvan en el servidor y otros recursos internos. Los usuarios que no puedan actualizar pueden agregar manualmente 127.0.0.0/8' a su lista de direcciones no permitidas.

*Credits: N/A

CVSS Scores

GitHubv3.1 5.0

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-01-15 CVE Reserved
2024-05-01 CVE Published
2024-05-01 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-184: Incomplete List of Disallowed Inputs
CWE-918: Server-Side Request Forgery (SSRF)

CAPEC

References (4)

URL	Tag	Source
https://docs.mybb.com/1.8/administration/configuration-file	X_refsource_misc
https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630	X_refsource_misc
https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h	X_refsource_confirm
https://mybb.com/versions/1.8.38	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mybb Search vendor "Mybb"		Mybb Search vendor "Mybb" for product "Mybb"				< 1.8.38 Search vendor "Mybb" for product "Mybb" and version " < 1.8.38"		en		Affected