Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SSRF via image import from URL allows internal network probing by authenticated users
Vulnerability Description
In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery (SSRF) vulnerability in the image import functionality allows authenticated users with the can_create_images entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a URL source, the LXD daemon fails to validate or restrict outbound destination IP addresses, allowing connections to loopback, RFC1918 private ranges, and cloud metadata endpoints. This enables error-based port scanning and unauthorized interaction with internal HTTP services from the daemon's network position.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
Canonical LXD 服务端请求伪造漏洞
Vulnerability Description
Canonical LXD是英国Canonical公司开源的一款基于Linux系统用于管理应用程序的容器。 Canonical LXD存在服务端请求伪造漏洞,该漏洞源于图片导入功能存在服务端请求伪造漏洞,导致LXD守护进程未能验证或限制出站目标IP地址,允许与内网基础设施进行交互。
CVSS Information
N/A
Vulnerability Type
N/A