Skip to content

TinyCheck tool was vulnerable to a Server-Side Request Forgery (SSRF) attack

Moderate
KLBot published GHSA-gqpw-3669-6w5h Jan 21, 2021

Package

No package listed

Affected versions

without commits 9fd360d and ea53de8

Patched versions

with commits 9fd360d and ea53de8

Description

Kaspersky has fixed the following security problem in the TinyCheck open source tool. The tool was vulnerable to a Server-Side Request Forgery (SSRF) attack, allowing an authenticated attacker to force the "watcher" service component of the tool to send an HTTP GET request to the crafted URLs. Issue type: SSRF.

List of affected products

TinyCheck without commits 9fd360d and ea53de8 from December 18th

Fixed versions

TinyCheck with commits 9fd360d and ea53de8 from December 18th
To update the tool to the latest commit/version, use the following commands: #cd /usr/share/tinycheck/ && bash update.sh.

Acknowledgements

We would like to thank the security researchers from Sayfer who discovered this issue and responsibly reported it.

Severity

Moderate

CVE ID

CVE-2020-36200

Weaknesses

No CWEs