PT-2024-23: Server-Side Request Forgery (SSRF) in Mobile Security Framework (MobSF) Vendor: OPENSECURITYProduct: Mobile Security Framework (MobSF)Vulnerable version: <=3.9.7Vulnerability type:- CWE-918: Server-Side Request Forgery (SSRF)Identifier (ID):BDU:2024-03055CVE-2024-31215Vulnerability vector:- Base vulnerability score (CVSSv3.1): CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L- Severity (CVSSv3.1): 6.3 (medium)- Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L- Severity (CVSSv4.0): 5.3 (medium)Description:The vulnerability was identified in Mobile Security Framework (MobSF), versions <=3.9.7. The discovered SSRF vulnerability in Firebase Database Check can be exploited by an attacker to make server connect to internal-only services. It is possible to make internal requests in case a malicious app is uploaded to Static analyzer.Vulnerability status: Confirmed by vendorDate of vulnerability detection: 02.04.2024Recommendations: Update to version 3.9.8 or higher.Additional information: Security BulletinResearcher: Oleg Surnin (Positive Technologies)