CVE-2020-35850 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Low
Remote	Yes
Type	Cross-site request forgery
Description	A server-side request forgery issue was discovered in cockpit-project.org Cockpit 234. It allows a user to send requests to internal hosts for detecting open ports, allowing the firewall configuration to be bypassed or the server to be used as a gateway by a malicious user. NOTE: the vendor states "I don't think [it] is a big real-life issue."

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1393	cockpit	259-1	260-1	Medium	Fixed

References
https://github.com/passtheticket/vulnerability-research/blob/main/cockpitProject/README.md https://github.com/cockpit-project/cockpit/issues/15077 https://docs.unsafe-inline.com/0day/cokpit-version-234-server-side-request-forgery-cve-2020-35850 https://www.exploit-db.com/exploits/49397

References

https://github.com/passtheticket/vulnerability-research/blob/main/cockpitProject/README.md
https://github.com/cockpit-project/cockpit/issues/15077
https://docs.unsafe-inline.com/0day/cokpit-version-234-server-side-request-forgery-cve-2020-35850
https://www.exploit-db.com/exploits/49397

Notes
The validity of this issue is disputed.