CVE-2023-7078
7.5
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Summary
Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server. If Miniflare was configured to listen on external network interfaces (as was the default in wrangler until 3.19.0), an attacker on the local network could access other local servers.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Cloudflare | miniflare | 0 <= <=3.20230821.0 | affected |
| Cloudflare | miniflare | 0 < 3.20231030.2 | affected |
Weaknesses
- CWE-918: CWE-918 Server-Side Request Forgery (SSRF)
Workarounds
Ensure Miniflare is configured to listen on just local interfaces. This is the default behaviour, but can also be configured with the host: "127.0.0.1" option.
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7
- https://github.com/cloudflare/workers-sdk/pull/4532
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-fwvg-2739-22v7
- https://github.com/cloudflare/workers-sdk/pull/4532
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.