CVE-2023-48910: 
Java vulnerability analysis and mitigation

Microcks up to version 1.17.1 was discovered to contain a Server-Side Request Forgery (SSRF) vulnerability affecting the /jobs and /artifact/download components. The vulnerability was disclosed on November 15, 2023, and allows attackers to access network resources and sensitive information through crafted GET requests (GitHub Gist, NVD).

The vulnerability exists in the API endpoints /jobs and /artifact/download, which are susceptible to SSRF attacks via the repositoryUrl and url parameters. The issue has been assigned CVE-2023-48910 and received a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-918 (Server-Side Request Forgery) (NVD).

The vulnerability allows attackers to access internal network resources and sensitive information where Microcks is deployed. If there are vulnerable web services within the internal network, attackers could exploit this SSRF vulnerability to send malicious HTTP requests and potentially compromise the overall security of the internal network (GitHub Discussion).

The recommended mitigation is to filter internal network IP ranges, including but not limited to 127.0.0.1, 192.168.0.1/24, and 172.16.0.1/24, to protect internal network resources. This helps prevent unauthorized access to sensitive internal services through the SSRF vulnerability (GitHub Discussion).