Miggo Logo
Miggo Vulnerability Database
CVE-2020-14044

CVE-2020-14044:
Codiad SSRF Vulnerability

7.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-14044
GHSA ID
GHSA-c3q8-hh69-7mg5
EPSS Score
0.8744%
CWE
CWE-918
Published
5/24/2022
Updated
4/25/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
codiad/codiadcomposer>= 1.7.8, <= 2.8.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly references components/market/class.market.php as the entry point. The Market class's remote file retrieval functionality would be responsible for plugin installation from external sources. Since the advisory specifies SSRF through plugin installation, a function handling remote resource fetching (like getRemoteFile) would be the logical point where user-controlled URLs are accessed without proper validation. The high confidence comes from the direct correlation between the documented attack vector (plugin install feature) and typical SSRF patterns in package management components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* S*rv*r-Si** R*qu*st *or**ry (SSR*) vuln*r**ility w*s *oun* in *o*i** v*.*.* *n* l*t*r. * us*r wit* **min privil***s *oul* us* t** plu*in inst*ll ***tur* to m*k* t** s*rv*r r*qu*st *ny URL vi* *ompon*nts/m*rk*t/*l*ss.m*rk*t.p*p. T*is *oul* pot*nti*l

Reasoning

T** vuln*r**ility *xpli*itly r***r*n**s *ompon*nts/m*rk*t/*l*ss.m*rk*t.p*p *s t** *ntry point. T** M*rk*t *l*ss's r*mot* *il* r*tri*v*l *un*tion*lity woul* ** r*sponsi*l* *or plu*in inst*ll*tion *rom *xt*rn*l sour**s. Sin** t** **visory sp**i*i*s SSR