CVE-2024-51981

An unauthenticated attacker may perform a blind server side request forgery (SSRF), due to a CLRF injection issue that can be leveraged to perform HTTP request smuggling. This SSRF leverages the WS-Addressing feature used during a WS-Eventing subscription SOAP operation. The attacker can control all the HTTP data sent in the SSRF connection, but the attacker can not receive any data back from this connection.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf
https://github.com/sfewer-r7/BrotherVulnerabilities
https://support.brother.com/g/b/link.aspx?prod=group2&faqid=faq00100846_000
https://support.brother.com/g/b/link.aspx?prod=group2&faqid=faq00100848_000
https://support.brother.com/g/b/link.aspx?prod=lmgroup1&faqid=faqp00100620_000
https://www.fujifilm.com/fbglobal/eng/company/news/notice/2025/0625_announce.html
https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2025-0001.pdf
https://www.rapid7.com/blog/post/multiple-brother-devices-multiple-vulnerabilities-fixed
https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000007
https://www.toshibatec.com/information/20250625_02.html
https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf

Configurations

No configuration.

History

26 Jun 2025, 18:58

Type	Values Removed	Values Added
Summary		(es) Un atacante no autenticado podría realizar server-side request forgery (SSRF) ciega debido a un problema de inyección de CLRF que puede aprovecharse para el contrabando de solicitudes HTTP. Esta SSRF utiliza la función WS-Addressing utilizada durante una operación SOAP de suscripción WS-Eventing. El atacante puede controlar todos los datos HTTP enviados en la conexión SSRF, pero no puede recibirlos de vuelta.

25 Jun 2025, 15:15

Type	Values Removed	Values Added
References		() https://www.fujifilm.com/fbglobal/eng/company/news/notice/2025/0625_announce.html - () https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2025-0001.pdf - () https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000007 - () https://www.toshibatec.com/information/20250625_02.html -

25 Jun 2025, 13:15

Type	Values Removed	Values Added
References	~~() https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf -~~	() https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf -

25 Jun 2025, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-25 08:15

Updated : 2025-06-26 18:58

NVD link : CVE-2024-51981

Mitre link : CVE-2024-51981

CVE.ORG link : CVE-2024-51981

JSON object : View

Products Affected

No product.

CWE

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-918

Server-Side Request Forgery (SSRF)

5.3 /10