Skip to main content

Apwide Golive CVE-2025-45939

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2025-07-25 cve@mitre.org
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
vuln.today AI
6.4 MEDIUM

Webhook test is a plugin feature requiring Jira login (PR:L); SSRF crosses trust boundary (S:C); no meaningful availability impact from SSRF alone.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 05, 2026 - 03:48 vuln.today
CVE Published
Jul 25, 2025 - 14:15 cve.org
MEDIUM 6.5

DescriptionCVE.org

Apwide Golive 10.2.0 Jira plugin allows Server-Side Request Forgery (SSRF) via the test webhook function.

AnalysisAI

Server-Side Request Forgery in Apwide Golive 10.2.0 for Jira allows an attacker to abuse the plugin's test webhook function to induce the server to issue HTTP requests to arbitrary internal or external hosts. The vulnerability carries a scope-changed CVSS vector (S:C), meaning requests escape the plugin's trust boundary and can reach internal network resources invisible to the attacker. With an EPSS of 0.29% (20th percentile) and no active exploitation confirmed in CISA KEV, real-world risk is currently low, but the SSRF primitive could enable internal service enumeration or SSRF-chained attacks against cloud metadata endpoints on Jira-hosting infrastructure.

Technical ContextAI

CWE-918 (Server-Side Request Forgery) describes a class of vulnerability where an application fetches a remote resource using attacker-controlled input without adequate validation of the target URL scheme, host, or port. In this case, the vulnerable surface is the 'test webhook' function of the Golive plugin (CPE: cpe:2.3:a:apwide:golive:10.2.0:*:*:*:*:jira:*:*), which is designed to let users verify that a configured webhook endpoint is reachable. By supplying a crafted URL pointing to an internal address (e.g., 169.254.169.254 for cloud metadata, or RFC-1918 addresses for internal services), an attacker can cause the Jira application server to make outbound requests on their behalf. The scope-changed flag (S:C) in the CVSS vector reflects that the impact extends beyond the Golive component itself to other components on the same network segment reachable by the Jira server.

RemediationAI

Consult the vendor advisory at https://golive.apwide.com/doc/latest/server-data-center/2025-06-06 for the recommended upgrade path; no explicit fixed version number is provided in the available data, so a patched release version could not be independently confirmed. As a compensating control, restrict outbound HTTP/HTTPS connections from the Jira application server using firewall or security group rules to block access to RFC-1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and the cloud metadata address 169.254.169.254 - this does not eliminate the vulnerability but removes the most dangerous SSRF targets. If cloud metadata endpoint access is a concern, enforce IMDSv2 (AWS) or equivalent to require a session-oriented token, which SSRF cannot obtain. Disabling the test webhook feature via plugin configuration, if supported, would remove the attack surface entirely but may impair webhook validation workflows.

Share

CVE-2025-45939 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy