CVE-2022-31196 HIGH

CVE-2022-31196: Server-Side Request Forgery (SSRF) vulnerability in Databasir

Vendor Vran-Dev
Product databasir
Weakness CWE-918 · SSRF
Published September 2, 2022
Last update April 22, 2025

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

Databasir is a database metadata management platform. Databasir <= 1.06 has Server-Side Request Forgery (SSRF) vulnerability. The SSRF is triggered by a sending a **single** HTTP POST request to create a databaseType. By supplying a `jdbcDriverFileUrl` that returns a non `200` response code, the url is executed, the response is logged (both in terminal and in database) and is included in the response. This would allow an attackers to obtain the real IP address and scan Intranet information. This issue was fixed in version 1.0.7.

Key dates

02Disclosure timeline

September 2, 2022 CVE published
April 22, 2025 Record updated