// For flags

CVE-2024-31215

Mobile Security Framework (MobSF) vulnerable to Server-Side Request Forgery (SSRF) in firebase database check

Severity Score

6.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile.
A SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.

Mobile Security Framework (MobSF) es una plataforma de investigación de seguridad para aplicaciones móviles en Android, iOS y Windows Mobile. Una vulnerabilidad SSRF en la lógica de verificación de la base de datos de Firebase. El atacante puede hacer que el servidor establezca una conexión con servicios exclusivamente internos dentro de la infraestructura de la organización. Cuando se carga una aplicación maliciosa en el analizador estático, es posible realizar solicitudes internas. Esta vulnerabilidad ha sido parcheada en la versión 3.9.8.

Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-03-29 CVE Reserved
  • 2024-04-04 CVE Published
  • 2024-04-21 EPSS Updated
  • 2024-08-02 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
MobSF
Search vendor "MobSF"
 Mobile-Security-Framework-MobSF
Search vendor "MobSF" for product "Mobile-Security-Framework-MobSF"
 <= 3.9.7
Search vendor "MobSF" for product "Mobile-Security-Framework-MobSF" and version " <= 3.9.7"
en
Affected