CVE-2020-28168: Input Validation
First published: Fri Nov 06 2020(Updated: )
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Cloud Pak for Automation | <=20.0.3 | |
| IBM Cloud Pak for Automation | <=20.0.2 IF002 | |
| Axios Axios | >=0.19.0<=0.21.0 | |
| Siemens Sinec Ins | <1.0 | |
| Siemens Sinec Ins | =1.0-sp1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/191660
- https://www.ibm.com/support/pages/node/6412345 (Advisory)
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://github.com/axios/axios/issues/3369
- https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E
Frequently Asked Questions
What is CVE-2020-28168?
CVE-2020-28168 is a Server-Side Request Forgery (SSRF) vulnerability in the axios NPM package version 0.21.0.
How does the CVE-2020-28168 vulnerability occur?
The vulnerability is caused by improper input validation in the axios module of Node.js, allowing an attacker to conduct an SSRF attack by providing a URL that redirects to a restricted host or IP address.
What is the severity of CVE-2020-28168?
The severity of CVE-2020-28168 is medium with a CVSS score of 5.9.
Which software products are affected by CVE-2020-28168?
IBM Cloud Pak for Automation versions up to 20.0.3, IBM Cloud Pak for Automation versions up to 20.0.2 IF002, and Siemens Sinec Ins version 1.0-sp1 are affected by CVE-2020-28168.
How can the CVE-2020-28168 vulnerability be fixed?
Update the affected software packages to a version that includes a fix for the vulnerability.
- collector/ibm-support
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/type
- agent/description
- agent/event
- agent/remedy
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ibm
- canonical/ibm cloud pak for automation
- version/ibm cloud pak for automation/20.0.3
- version/ibm cloud pak for automation/20.0.2 if002
- vendor/axios
- canonical/axios axios
- version/axios axios/0.19.0
- version/axios axios/0.21.0
- vendor/siemens
- canonical/siemens sinec ins
- version/siemens sinec ins/1.0-sp1