CWE-918 服务端请求伪造(SSRF) 类弱点 1659 条 CVE 漏洞汇总,含 AI 中文分析。
CWE-918 服务端请求伪造(SSRF)是一种允许攻击者诱导服务器发起恶意请求的漏洞。当服务器接收外部提供的 URL 并据此获取内容时,若未严格校验目标地址,攻击者可构造请求访问内网资源或探测内部服务,从而绕过防火墙限制。开发者应实施严格的白名单机制,限制协议类型,禁用重定向,并对所有输入进行深度验证,确保请求仅能访问预期的合法外部资源,从而有效防御此类攻击。
$url = $_GET['url']; # User-controlled input # Fetch the content of the provided URL $response = file_get_contents($url); echo $response;# Define allowed URLs (or domains) $allowed_urls = [ 'https://example.com/data.json', 'https://api.example.com/info', ]; # Get the user-provided URL $url = $_GET['url'] ?? ''; # Validate against allowed URLs if (!in_array($url, $allowed_urls)) { http_response_code(400); echo "Invalid or unauthorized URL."; exit; } # Fetch content safely $response = @file_get_contents($url); if ($response === false) { http_response_code(500); echo "Failed to fetch content."; exit; } echo htmlspecialchars($response); # Escape output for safety| CVE ID | 标题 | CVSS | 风险等级 | Published |
|---|---|---|---|---|
| CVE-2024-41813 | TxtDot 安全漏洞 — txtdot | 7.5 | High | 2024-07-26 |
| CVE-2024-41812 | TxtDot 安全漏洞 — txtdot | 7.5 | High | 2024-07-26 |
| CVE-2024-6922 | Automation Anywhere Automation 360 安全漏洞 — Automation 360 | 8.2 | - | 2024-07-26 |
| CVE-2024-41668 | cBioPortal 安全漏洞 — cbioportal | 8.3 | High | 2024-07-23 |
| CVE-2024-41664 | Canarytokens 安全漏洞 — canarytokens | 5.4 | Medium | 2024-07-23 |
| CVE-2024-37942 | WordPress plugin BerqWP 代码问题漏洞 — BerqWP | 7.2 | High | 2024-07-22 |
| CVE-2024-38723 | WordPress plugin JSON Content Importer 代码问题漏洞 — JSON Content Importer | 6.4 | Medium | 2024-07-22 |
| CVE-2024-38728 | WordPress plugin Seraphinite Post .DOCX Source 代码问题漏洞 — Seraphinite Post .DOCX Source | 7.1 | High | 2024-07-22 |
| CVE-2024-38730 | WordPress plugin Magical Addons For Elementor 代码问题漏洞 — Magical Addons For Elementor | 4.9 | Medium | 2024-07-22 |
| CVE-2024-38758 | WordPress plugin WappPress 代码问题漏洞 — WappPress | 4.9 | Medium | 2024-07-20 |
| CVE-2024-29736 | Apache CXF 代码问题漏洞 — Apache CXF | 9.1 | - | 2024-07-19 |
| CVE-2024-21527 | Gotenberg 安全漏洞 — github.com/gotenberg/gotenberg/v8/pkg/gotenberg | 8.2 | High | 2024-07-19 |
| CVE-2024-40898 | Apache HTTP Server 代码问题漏洞 — Apache HTTP Server | 7.5AI | HighAI | 2024-07-18 |
| CVE-2024-31979 | Apache StreamPipes 代码问题漏洞 — Apache StreamPipes | 8.1AI | HighAI | 2024-07-17 |
| CVE-2024-40632 | Linkerd 安全漏洞 — linkerd2 | 3.7 | Low | 2024-07-15 |
| CVE-2024-39739 | IBM Datacap Navigator 代码问题漏洞 — Datacap Navigator | 5.4 | Medium | 2024-07-15 |
| CVE-2024-32987 | Microsoft SharePoint 安全漏洞 — Microsoft SharePoint Enterprise Server 2016 | 7.5 | High | 2024-07-09 |
| CVE-2024-37171 | SAP Transportation Management 代码问题漏洞 — SAP Transportation Management (Collaboration Portal) | 5.0 | Medium | 2024-07-09 |
| CVE-2024-34689 | SAP Business Workflow 安全漏洞 — SAP Business Workflow (WebFlow Services) | 5.0 | Medium | 2024-07-09 |
| CVE-2024-39598 | SAP CRM 代码问题漏洞 — SAP CRM WebClient UI | 5.0 | Medium | 2024-07-09 |
| CVE-2024-39699 | Directus 安全漏洞 — directus | 5.0 | Medium | 2024-07-08 |
| CVE-2024-31897 | IBM Cloud Pak for Business Automation 代码问题漏洞 — Cloud Pak for Business Automation | 4.3 | Medium | 2024-07-08 |
| CVE-2024-6095 | LocalAI 代码问题漏洞 — mudler/localai | 5.3AI | MediumAI | 2024-07-06 |
| CVE-2024-37208 | WordPress plugin WP Scraper 代码问题漏洞 — WP Scraper | 4.9 | Medium | 2024-07-06 |
| CVE-2024-37260 | WordPress theme Foxiz 代码问题漏洞 — Foxiz | 7.2 | High | 2024-07-06 |
| CVE-2024-34361 | Pi-hole 安全漏洞 — pi-hole | 8.6 | High | 2024-07-05 |
| CVE-2024-39687 | Fedify 安全漏洞 — fedify | 7.2 | High | 2024-07-05 |
| CVE-2024-6524 | ShopXO 代码问题漏洞 — ShopXO | 5.5 | Medium | 2024-07-05 |
| CVE-2024-37157 | Discourse 安全漏洞 — discourse | 6.4 | Medium | 2024-07-03 |
| CVE-2024-38472 | Apache HTTP Server 安全漏洞 — Apache HTTP Server | 7.5AI | HighAI | 2024-07-01 |
CWE-918(服务端请求伪造(SSRF)) 是常见的弱点类别,本平台收录该类弱点关联的 1659 条 CVE 漏洞。