Miggo Logo

CVE-2021-22969: Server-Side Request Forgery in Concrete CMS

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.50112%
Published
11/23/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
concrete5/corecomposer< 8.5.78.5.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information describes the SSRF mitigation bypass via DNS rebinding but does not include concrete code examples, commit diffs, or specific function names from the affected package. While the security fix mentions changes to network validation logic (disallowing local network downloads and using validated IPs), the advisory materials and release notes do not explicitly identify the vulnerable functions. Without access to the actual pre-patch code or GitHub patch details, we cannot confidently map the described vulnerability to specific PHP functions in the codebase. The vulnerability appears to stem from architectural design choices (DNS resolution handling and network validation) rather than isolated function-level flaws.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*on*r*t* *MS (*orm*rly *on*r*t**) v*rsions **low *.*.* **s * SSR* miti**tion *yp*ss usin* *NS R**in* *tt**k *ivin* *n *tt**k*r t** **ility to **t** *lou* I**S (*x *WS) I*M k*ys.To *ix t*is *on*r*t* *MS no lon**r *llows *ownlo**s *rom t** lo**l n*twor

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s t** SSR* miti**tion *yp*ss vi* *NS r**in*in* *ut *o*s not in*lu** *on*r*t* *o** *x*mpl*s, *ommit *i**s, or sp**i*i* *un*tion n*m*s *rom t** *****t** p**k***. W*il* t** s**urity *ix m*ntions ***n**s to