CVE-2019-7652 in UnshortenLink Analyzer
Summary
by MITRE
TheHive Project UnshortenLink analyzer before 1.1, included in Cortex-Analyzers before 1.15.2, has SSRF. To exploit the vulnerability, an attacker must create a new analysis, select URL for Data Type, and provide an SSRF payload like "http://127.0.0.1:22" in the Data parameter. The result can be seen in the main dashboard. Thus, it is possible to do port scans on localhost and intranet hosts.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/14/2025
The vulnerability identified as CVE-2019-7652 represents a critical server-side request forgery flaw within TheHive Project UnshortenLink analyzer, which was present in versions prior to 1.1 and affected Cortex-Analyzers versions before 1.15.2. This security weakness enables attackers to manipulate the analyzer's behavior by crafting malicious payloads that force the system to make HTTP requests to internal network resources. The vulnerability stems from insufficient input validation and sanitization mechanisms within the URL processing functionality, allowing arbitrary URL schemes and destinations to be processed without proper authorization checks.
The technical exploitation of this vulnerability occurs through a straightforward attack vector where an adversary creates a new analysis task, specifically selecting the URL data type and providing a malicious payload in the Data parameter. When the analyzer processes this input, it blindly follows the provided URL without verifying its legitimacy or restricting access to internal network resources. The payload format "http://127.0.0.1:22" demonstrates how attackers can target localhost services, particularly port 22 which typically hosts ssh services, though other internal ports could be scanned or accessed. This behavior directly violates security principle of least privilege and demonstrates a classic SSRF vulnerability pattern that aligns with CWE-918, which specifically addresses server-side request forgery vulnerabilities.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables comprehensive network reconnaissance and potential system compromise. Attackers can perform port scanning operations against localhost and internal network hosts, potentially identifying open services, vulnerable applications, or misconfigured systems that would otherwise remain hidden from external network enumeration. This capability transforms a simple URL analysis function into a reconnaissance tool that can reveal internal network topology and service configurations. The vulnerability's presence in the main dashboard interface means that successful exploitation would be immediately visible to users, potentially leading to further exploitation or escalation of privileges within the compromised system.
Organizations utilizing TheHive Project and Cortex-Analyzers should implement immediate mitigations including updating to versions 1.15.2 or later where the vulnerability has been patched, implementing network segmentation to isolate the analyzer components, and establishing proper input validation controls. The fix typically involves implementing strict URL validation that restricts requests to authorized domains and prevents access to internal IP ranges such as 127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Additionally, implementing web application firewalls and network-level controls can provide defense-in-depth measures. This vulnerability maps to ATT&CK technique T1071.004 for application layer protocol and T1046 for network service scanning, highlighting its potential for both reconnaissance and exploitation phases of an attack lifecycle. The vulnerability demonstrates the critical importance of validating and sanitizing all user-provided input, particularly when the application interacts with external services or network resources.