CVE-2024-46413 in Rebuild
Summary
by MITRE • 08/26/2025
Rebuild v3.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the type parameter in the com.rebuild.web.admin.rbstore.RBStoreController#loadDataIndex method.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/13/2025
The vulnerability identified as CVE-2024-46413 affects Rebuild version 3.7.7 and represents a critical Server-Side Request Forgery flaw that can be exploited by remote attackers to manipulate server-side requests. This vulnerability exists within the RBStoreController class in the com.rebuild.web.admin.rbstore package, specifically in the loadDataIndex method where the type parameter is processed without adequate validation or sanitization. The SSRF vulnerability allows an attacker to submit malicious requests that can be executed by the server, potentially enabling unauthorized access to internal systems or data that would otherwise be protected by network segmentation.
The technical implementation of this vulnerability stems from insufficient input validation on the type parameter, which is directly passed to server-side operations without proper sanitization or restriction. When an attacker crafts a malicious request containing a crafted type value, the server processes this parameter and attempts to make requests to arbitrary destinations specified within the parameter. This flaw creates a pathway for attackers to potentially access internal services, databases, or other resources that should not be reachable from the external network. The vulnerability operates at the application layer and can be exploited without requiring authentication, making it particularly dangerous as it can be leveraged to perform reconnaissance activities or gain access to sensitive internal systems.
The operational impact of this vulnerability extends beyond simple data exfiltration or service disruption. Attackers can utilize this SSRF flaw to perform internal network scanning, access internal APIs, or even exploit other vulnerabilities within the internal network that are not directly exposed to the internet. This capability significantly broadens the attack surface and can lead to lateral movement within the network, potentially resulting in complete system compromise. The vulnerability is particularly concerning because it resides in an administrative controller, which often has elevated privileges and access to sensitive data and system functions. Organizations using Rebuild 3.7.7 may find their administrative interfaces vulnerable to exploitation, potentially allowing attackers to gain unauthorized access to critical business data or system configurations.
Mitigation strategies for CVE-2024-46413 should prioritize immediate patching of the affected Rebuild version to the latest available release that addresses this vulnerability. Organizations should also implement network-level restrictions and firewalls to limit outbound connections from the affected servers, particularly restricting access to internal services or known vulnerable endpoints. Input validation should be strengthened at the application level by implementing strict parameter validation and sanitization for all user-provided inputs, especially those used in server-side request operations. The vulnerability aligns with CWE-918 which specifically addresses Server-Side Request Forgery vulnerabilities, and can be mapped to ATT&CK technique T1190 which covers the exploitation of server-side request forgery. Additionally, organizations should conduct thorough network segmentation and implement proper access controls to limit the potential impact of such vulnerabilities and reduce the attack surface for similar exploits.