CVE-2024-51981

medium

Description

An unauthenticated attacker may perform a blind server side request forgery (SSRF), due to a CLRF injection issue that can be leveraged to perform HTTP request smuggling. This SSRF leverages the WS-Addressing feature used during a WS-Eventing subscription SOAP operation. The attacker can control all the HTTP data sent in the SSRF connection, but the attacker can not receive any data back from this connection.

References

https://www.toshibatec.com/information/20250625_02.html

https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2025-000007

https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2025-0001.pdf

https://www.fujifilm.com/fbglobal/eng/company/news/notice/2025/0625_announce.html

https://support.brother.com/g/b/link.aspx?prod=lmgroup1&faqid=faqp00100620_000

https://support.brother.com/g/b/link.aspx?prod=group2&faqid=faq00100848_000

https://support.brother.com/g/b/link.aspx?prod=group2&faqid=faq00100846_000

https://github.com/sfewer-r7/BrotherVulnerabilities

https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf

Details

Source: Mitre, NVD

Published: 2025-06-25

Updated: 2025-06-26

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00044