CVE-2024-29190: SSRF Vulnerability on assetlinks_check(act_name, well_knowns)
While examining the “App Link assetlinks.json file could not be found” vulnerability detected by MobSF, we, as the Trendyol Application Security team, noticed that a GET request was sent to the “/.well-known/assetlinks.json” endpoint for all hosts written with “android:host”. In the AndroidManifest.xml file.
Since MobSF does not perform any input validation when extracting the hostnames in “android:host”, requests can also be sent to local hostnames. This may cause SSRF vulnerability.
References
- github.com/MobSF/Mobile-Security-Framework-MobSF
- github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wfgj-wrgh-h3r3
- github.com/MobSF/mobsfscan/commit/61fd40b477bbf9d204eb8c5a83a86c396d839798
- github.com/MobSF/mobsfscan/commit/cd01b71770a6e56c1c71b0e5f454e7b6c9c64ef4
- github.com/advisories/GHSA-wfgj-wrgh-h3r3
- nvd.nist.gov/vuln/detail/CVE-2024-29190
Code Behaviors & Features
Detect and mitigate CVE-2024-29190 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →