Miggo Logo
Miggo Vulnerability Database
CVE-2023-24623

CVE-2023-24623: Paranoidhttp Server-Side Request Forgery vulnerability

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-24623
GHSA ID
GHSA-v9mp-j8g7-2q6m
EPSS Score
0.19142%
CWE
CWE-918
Published
1/30/2023
Updated
5/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/hakobe/paranoidhttpgo< 0.3.00.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the safeAddr function's IP validation logic in client.go. The original code only checked if an IP was IPv4 (ip.To4() != nil) before applying filters. This missed IPv6's unspecified address [::] which maps to localhost. The patch added 'ip.IsUnspecified()' to the conditional, proving this was the vulnerable code path. The accompanying test in client_test.go that added [::] validation confirms the function's role in the vulnerability. The Go vulnerability report (GO-2023-1526) explicitly lists safeAddr as the affected symbol.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*r*noi**ttp ***or* *.*.* *llows SSR* ****us* [::] is *quiv*l*nt to t** ***.*.*.* ***r*ss, *ut *o*s not m*t** t** *ilt*r *or priv*t* ***r*ss*s.

Reasoning

T** vuln*r**ility st*ms *rom t** `s******r` *un*tion's IP v*li**tion lo*i* in `*li*nt.*o`. T** ori*in*l *o** only ****k** i* *n IP w*s IPv* (`ip.To*()` != nil) ***or* *pplyin* *ilt*rs. T*is miss** IPv*'s unsp**i*i** ***r*ss [::] w*i** m*ps to lo**l*o