#ssrf

### Description If a hostname was blacklisted, it was possible to bypass the blacklist by requesting the FQDN of the host (e.g. adding `.` to the end). ### Impact The main purpose of this library is to block requests to internal/private IPs and these cannot be bypassed using this finding. But if a library user had specifically set certain hostnames as blocked, then an attacker would be able to circumvent that block to cause SSRFs to request those hostnames. ### Patches Fixed by https://github.com/IncludeSecurity/safeurl-python/pull/6 ### Credit https://github.com/Sim4n6

Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

Server-Side Request Forgery (SSRF) in GitHub repository plantuml/plantuml prior to 1.2023.9.

BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, ...

Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth Service Provider, allows SSRF via a crafted KeyInfo element. (This is fixed in, for example, Shibboleth Service Provider 3.4.1.3 on Windows.)

An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.

OX App Suite suffers from server-side request forgery, command injection, uncontrolled resource consumption, code injection, authorization bypass, and insecure storage vulnerabilities. Various versions in the 7.10.x and 8.x branches are affected.

Debian Linux Security Advisory 5432-1 - Jurien de Jong discovered that the parsing of KeyInfo elements within the XMLTooling library may result in server-side request forgery.

A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to send crafted TCP packets containing requests to perform arbitrary actions.