CVE-2021-29357 - Outsystems ECT Provider Server Side Request Forgery

1. Vulnerability Properties

Title: Outsystems ECT Provider Server Side Request Forgery
CVE ID: CVE-2021-29357
CVSSv3 Base Score: 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N)
Vendor: Outsystems
Products: Outsystems
Advisory Release Date: 13 April 2021
Advisory URL: https://labs.integrity.pt/advisories/cve-2021-29357
Credits: Discovery by Ricardo Nunes <rn[at]integrity.pt>

2. Vulnerability Summary

The Outsystems ECT component is vulnerable to a SSRF attack, which may allow an attacker to force the server application to perform arbitrary HTTP requests.

3. Vulnerable Versions

  • Outsystems 10 < 10.0.1104.0
  • Outsystems 11 Platform Server < 11.9.0
  • Outsystems 11 LifeTime Management Console < 11.7.0

4. Solution

  • Upgrade to at least one of the following versions:
    • Outsystems 10 >= 10.0.1104.0
    • Outsystems 11 Platform Server >= 11.9.0
    • Outsystems 11 LifeTime Management Console >= 11.7.0

5. Vulnerability Timeline

  • 4/Feb/2020 - Bug reported to vendor
  • 6/Feb/2020 - Bug Confirmed by vendor
  • 4/Sep/2020 - Bug fixed by vendor
  • 13/Apr/2021 - Advisory released

6. References

  • https://success.outsystems.com/Support/Security/Vulnerabilities/Vulnerability_RTAF-2226
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29357