CVE-2024-31215 - Vulnerability Details - OpenCVE

Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. A SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization’s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Opensecurity	Mobile Security Framework

Configuration 1 [-]

cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716
https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373
https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx

History

Mon, 30 Jun 2025 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opensecurity Opensecurity mobile Security Framework
CPEs		cpe:2.3:a:opensecurity:mobile_security_framework::::::::
Vendors & Products		Opensecurity Opensecurity mobile Security Framework

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-04T16:10:18.954Z

Updated: 2024-08-02T01:46:04.599Z

Reserved: 2024-03-29T14:16:31.901Z

Link: CVE-2024-31215

Vulnrichment

Updated: 2024-05-23T19:01:22.680Z

NVD

Status : Analyzed

Published: 2024-04-04T16:15:09.787

Modified: 2025-06-30T13:04:19.583

Link: CVE-2024-31215

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31215", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-29T14:16:31.901Z", "datePublished": "2024-04-04T16:10:18.954Z", "dateUpdated": "2024-08-02T01:46:04.599Z"}, "containers": {"cna": {"title": "Mobile Security Framework (MobSF) vulnerable to Server-Side Request Forgery (SSRF) in firebase database check", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx"}, {"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373", "tags": ["x_refsource_MISC"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373"}, {"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716", "tags": ["x_refsource_MISC"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716"}], "affected": [{"vendor": "MobSF", "product": "Mobile-Security-Framework-MobSF", "versions": [{"version": "<= 3.9.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-04T16:10:18.954Z"}, "descriptions": [{"lang": "en", "value": "Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile.\nA SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization\u2019s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.\n"}], "source": {"advisory": "GHSA-wpff-wm84-x5cx", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31215", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-09T16:01:30.374998Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:36:55.369Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:46:04.599Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx"}, {"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373"}, {"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31215", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-29T14:16:31.901Z", "datePublished": "2024-04-04T16:10:18.954Z", "dateUpdated": "2024-06-04T17:36:55.369Z"}, "containers": {"cna": {"title": "Mobile Security Framework (MobSF) vulnerable to Server-Side Request Forgery (SSRF) in firebase database check", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx"}, {"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373", "tags": ["x_refsource_MISC"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373"}, {"name": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716", "tags": ["x_refsource_MISC"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716"}], "affected": [{"vendor": "MobSF", "product": "Mobile-Security-Framework-MobSF", "versions": [{"version": "<= 3.9.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-04-04T16:10:18.954Z"}, "descriptions": [{"lang": "en", "value": "Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile.\nA SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization\u2019s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.\n"}], "source": {"advisory": "GHSA-wpff-wm84-x5cx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31215", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-09T16:01:30.374998Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:22.680Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensecurity:mobile_security_framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "66D2235C-C828-4EEB-8D92-B0F1CDF83F24", "versionEndExcluding": "3.9.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile.\nA SSRF vulnerability in firebase database check logic. The attacker can cause the server to make a connection to internal-only services within the organization\u2019s infrastructure. When a malicious app is uploaded to Static analyzer, it is possible to make internal requests. This vulnerability has been patched in version 3.9.8.\n"}, {"lang": "es", "value": "Mobile Security Framework (MobSF) es una plataforma de investigaci\u00f3n de seguridad para aplicaciones m\u00f3viles en Android, iOS y Windows Mobile. Una vulnerabilidad SSRF en la l\u00f3gica de verificaci\u00f3n de la base de datos de Firebase. El atacante puede hacer que el servidor establezca una conexi\u00f3n con servicios exclusivamente internos dentro de la infraestructura de la organizaci\u00f3n. Cuando se carga una aplicaci\u00f3n maliciosa en el analizador est\u00e1tico, es posible realizar solicitudes internas. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 3.9.8."}], "id": "CVE-2024-31215", "lastModified": "2025-06-30T13:04:19.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-04T16:15:09.787", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/43bb71d115d78c03faa82d75445dd908e9b32716"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/pull/2373"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-wpff-wm84-x5cx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}