Skip to content

Lack of Input Validation in zendesk_api_client_php for Zendesk Subdomain

Critical severity GitHub Reviewed Published Apr 28, 2021 in zendesk/zendesk_api_client_php • Updated Jan 9, 2023

Package

composer zendesk/zendesk_api_client_php (Composer)

Affected versions

< 2.2.11

Patched versions

2.2.11

Description

Impact

Lack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF).

Resolution

Validate the provided Zendesk subdomain to be a valid subdomain in:

  • getAuthUrl
  • getAccessToken

References

@thekindofme thekindofme published to zendesk/zendesk_api_client_php Apr 28, 2021
Reviewed Apr 28, 2021
Published to the GitHub Advisory Database Apr 29, 2021
Last updated Jan 9, 2023

Severity

Critical

EPSS score

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

CVE ID

CVE-2021-30492

GHSA ID

GHSA-q348-f93x-9gx4

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.