漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Astro: Host-header full-read SSRF in core prerendered error-page fetch (prerenderedErrorPageFetch default + unvalidated createRequestFromNodeRequest URL)
Vulnerability Description
Astro is a web framework. Prior to 6.4.6, Astro SSR apps with prerendered error pages (/404 or /500 using export const prerender = true) fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from request.url, which in turn gets its origin from the incoming Host header. When the Host header is not validated against allowedDomains, an attacker can point the fetch at an arbitrary host and read the response. This vulnerability is fixed in 6.4.6.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N
Vulnerability Type
输入验证不恰当
Vulnerability Title
Astro 输入验证错误漏洞
Vulnerability Description
Astro是Astro团队开源的一个内容驱动网站的 web 框架。 Astro 6.4.6之前版本存在安全漏洞,该漏洞源于未验证Host header,导致服务端请求伪造,攻击者可能将请求指向任意主机并读取响应。
CVSS Information
N/A
Vulnerability Type
N/A