qwqdanchun
/
Goby
mirror of https://github.com/qwqdanchun/Goby.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Goby/json/Sentinel-Sentinel-dashboard...

69 lines
4.0 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Name": "Sentinel Sentinel-dashboard SSRF",
"Description": "<p>Sentinel is a powerful flow control component issued by Alibaba, which can realize the reliability, flexibility and monitoring of microservices.</p><p>The Sentinel control platform Sentinel-dashboard has a pre-authentication SSRF vulnerability. There is no verification in the ip field, and it can be truncated by passing #. Attackers can perform SSRF attacks through this interface.</p>",
"Product": "Sentinel",
"Homepage": "https://github.com/alibaba/Sentinel",
"DisclosureDate": "2021-11-23",
"Author": "1291904552@qq.com",
"FofaQuery": "body=\"Sentinel Dashboard\"",
"GobyQuery": "body=\"Sentinel Dashboard\"",
"Level": "2",
"Impact": "<p>The Sentinel control platform Sentinel-dashboard has a pre-authentication SSRF vulnerability. There is no verification in the ip field, and it can be truncated by passing #. Attackers can perform SSRF attacks through this interface.</p>",
"Recommendation": "<p>The vendor has released a bug fix, please pay attention to the update in time: <a href=\"https://github.com/alibaba/Sentinel\">https://github.com/alibaba/Sentinel</a></p><p>1. Set access policies and whitelist access through security devices such as firewalls.</p><p>2.If not necessary, prohibit public network access to the system.</p>",
"Translation": {
"CN": {
"Name": "Sentinel Sentinel-dashboard SSRF",
"VulType": ["SSRF漏洞"],
"Tags": ["SSRF漏洞"],
"Description": "<p>Sentinel是阿里巴巴发行的一个强大的流量控制组件可实现微服务的可靠性、弹性和监控平台。</p><p>Sentinel 管控平台 Sentinel-dashboard 存在认证前 SSRF 漏洞ip字段无任何验证通过#就可以截断,攻击者可通过该接口进行 SSRF 攻击。</p>",
"Impact": "<p>Sentinel 管控平台 Sentinel-dashboard 存在认证前 SSRF 漏洞ip字段无任何验证通过#就可以截断,攻击者可通过该接口进行 SSRF 攻击。</p>",
"Product": "Sentinel",
"Recommendation": "<p>⼚商已发布了漏洞修复程序,请及时关注更新:<a href=\"https://github.com/alibaba/Sentinel\">https://github.com/alibaba/Sentinel</a></p><p>1、通过防⽕墙等安全设备设置访问策略设置⽩名单访问。</p><p>2、如⾮必要禁⽌公⽹访问该系统。</p>"
},
"EN": {
"Name": "Sentinel Sentinel-dashboard SSRF",
"VulType": ["ssrf"],
"Tags": ["ssrf"],
"Description": "<p>Sentinel is a powerful flow control component issued by Alibaba, which can realize the reliability, flexibility and monitoring of microservices.</p><p>The Sentinel control platform Sentinel-dashboard has a pre-authentication SSRF vulnerability. There is no verification in the ip field, and it can be truncated by passing #. Attackers can perform SSRF attacks through this interface.</p>",
"Impact": "<p>The Sentinel control platform Sentinel-dashboard has a pre-authentication SSRF vulnerability. There is no verification in the ip field, and it can be truncated by passing #. Attackers can perform SSRF attacks through this interface.</p>",
"Product": "Sentinel",
"Recommendation": "<p>The vendor has released a bug fix, please pay attention to the update in time: <a href=\"https://github.com/alibaba/Sentinel\">https://github.com/alibaba/Sentinel</a></p><p>1. Set access policies and whitelist access through security devices such as firewalls.</p><p>2.If not necessary, prohibit public network access to the system.</p>"
}
},
"References": [
"https://github.com/alibaba/Sentinel/issues/2451"
],
"HasExp": true,
"ExpParams": [
{
"name": "ssrf",
"type": "input",
"value": "xxx.dnslog.cn"
}
],
"ExpTips": null,
"ScanSteps": null,
"Tags": [
"ssrf"
],
"VulType": [
"ssrf"
],
"CVEIDs": [
""
],
"CVSSScore": "7.0",
"AttackSurfaces": {
"Application": ["Sentinel"],
"Support": null,
"Service": null,
"System": null,
"Hardware": null
},
"CNNVD": [
""
],
"CNVD": [
""
]
}
Reference in New Issue View Git Blame Copy Permalink