Miggo Logo

CVE-2020-36474:
SafeCurl before 0.9.2 has a DNS rebinding vulnerability.

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.73753%
CWE
-
Published
8/25/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
vanilla/safecurlcomposer< 0.9.20.9.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a time-of-check-to-time-of-use (TOCTOU) issue in DNS resolution. The pre-0.9.2 implementation validated hostnames and resolved IPs initially but didn't enforce these resolved IPs during the actual cURL request execution. The GitHub pull request #2 adds DNS pinning through CURLOPT_RESOLVE in the execute() method, confirming this was the missing protection. The execute() method's failure to lock DNS results after validation created the window for DNS rebinding attacks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S****url ***or* *.*.* **s * *NS r**in*in* vuln*r**ility.

Reasoning

T** vuln*r**ility st*ms *rom * tim*-o*-****k-to-tim*-o*-us* (TO*TOU) issu* in *NS r*solution. T** pr*-*.*.* impl*m*nt*tion v*li**t** *ostn*m*s *n* r*solv** IPs initi*lly *ut *i*n't *n*or** t**s* r*solv** IPs *urin* t** **tu*l `*URL` r*qu*st *x**ution