Apwide Golive CVE-2025-45939
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Webhook test is a plugin feature requiring Jira login (PR:L); SSRF crosses trust boundary (S:C); no meaningful availability impact from SSRF alone.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Apwide Golive 10.2.0 Jira plugin allows Server-Side Request Forgery (SSRF) via the test webhook function.
AnalysisAI
Server-Side Request Forgery in Apwide Golive 10.2.0 for Jira allows an attacker to abuse the plugin's test webhook function to induce the server to issue HTTP requests to arbitrary internal or external hosts. The vulnerability carries a scope-changed CVSS vector (S:C), meaning requests escape the plugin's trust boundary and can reach internal network resources invisible to the attacker. With an EPSS of 0.29% (20th percentile) and no active exploitation confirmed in CISA KEV, real-world risk is currently low, but the SSRF primitive could enable internal service enumeration or SSRF-chained attacks against cloud metadata endpoints on Jira-hosting infrastructure.
Technical ContextAI
CWE-918 (Server-Side Request Forgery) describes a class of vulnerability where an application fetches a remote resource using attacker-controlled input without adequate validation of the target URL scheme, host, or port. In this case, the vulnerable surface is the 'test webhook' function of the Golive plugin (CPE: cpe:2.3:a:apwide:golive:10.2.0:*:*:*:*:jira:*:*), which is designed to let users verify that a configured webhook endpoint is reachable. By supplying a crafted URL pointing to an internal address (e.g., 169.254.169.254 for cloud metadata, or RFC-1918 addresses for internal services), an attacker can cause the Jira application server to make outbound requests on their behalf. The scope-changed flag (S:C) in the CVSS vector reflects that the impact extends beyond the Golive component itself to other components on the same network segment reachable by the Jira server.
RemediationAI
Consult the vendor advisory at https://golive.apwide.com/doc/latest/server-data-center/2025-06-06 for the recommended upgrade path; no explicit fixed version number is provided in the available data, so a patched release version could not be independently confirmed. As a compensating control, restrict outbound HTTP/HTTPS connections from the Jira application server using firewall or security group rules to block access to RFC-1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and the cloud metadata address 169.254.169.254 - this does not eliminate the vulnerability but removes the most dangerous SSRF targets. If cloud metadata endpoint access is a concern, enforce IMDSv2 (AWS) or equivalent to require a session-oriented token, which SSRF cannot obtain. Disabling the test webhook feature via plugin configuration, if supported, would remove the attack surface entirely but may impair webhook validation workflows.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today