{"id":"CVE-2024-41668","summary":"cBioPortal Proxy Endpoint Vulnerabliity","details":"The cBioPortal for Cancer Genomics provides visualization, analysis, and download of large-scale cancer genomics data sets. When running a publicly exposed proxy endpoint without authentication, cBioPortal could allow someone to perform a Server Side Request Forgery (SSRF) attack. Logged in users could do the same on private instances. A fix has been released in version 6.0.12. As a workaround, one might be able to disable `/proxy` endpoint entirely via, for example, nginx.","aliases":["GHSA-9h44-r3c3-q7rm"],"modified":"2026-04-12T08:40:55.850235Z","published":"2024-07-23T18:14:41.169Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41668.json","cwe_ids":["CWE-918"]},"references":[{"type":"WEB","url":"https://github.com/cBioPortal/cbioportal/releases/tag/v6.0.12"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/41xxx/CVE-2024-41668.json"},{"type":"ADVISORY","url":"https://github.com/cBioPortal/cbioportal/security/advisories/GHSA-9h44-r3c3-q7rm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-41668"},{"type":"ADVISORY","url":"https://www.wizlynxgroup.com/security-research-advisories/vuln/WLX-2024-004"},{"type":"FIX","url":"https://github.com/cBioPortal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5"},{"type":"FIX","url":"https://github.com/cBioPortal/cbioportal/pull/10884"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cbioportal/cbioportal","events":[{"introduced":"0"},{"fixed":"ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5"}]},{"type":"GIT","repo":"https://github.com/cbioportal/cbioportal","events":[{"introduced":"0"},{"fixed":"608fca4d4c33ec473c5a847e57bf0394860c1dd4"}]},{"type":"GIT","repo":"https://github.com/cbioportal/cbioportal","events":[{"introduced":"0"},{"fixed":"ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5"}]},{"type":"GIT","repo":"https://github.com/cbioportal/cbioportal","events":[{"introduced":"0"},{"fixed":"608fca4d4c33ec473c5a847e57bf0394860c1dd4"}]}],"versions":["untagged-46e68095e194ee3ab21c","untagged-5c091fa4fd789aa79296","v1.0.0","v1.1.0","v1.2.1","v1.2.2","v1.2.4","v1.2.5","v1.3.0","v3.2.0","v3.2.1","v3.2.10","v3.2.11","v3.2.12","v3.2.13","v3.2.14","v3.2.15","v3.2.2","v3.2.3","v3.2.4","v3.2.5","v3.2.6","v3.2.7","v3.2.8","v3.2.9","v3.3.0","v3.3.1","v3.3.2","v3.3.3","v3.3.4","v3.3.5","v3.3.6","v3.3.7","v3.4.0","v3.4.1","v3.4.10","v3.4.11","v3.4.12","v3.4.13","v3.4.14","v3.4.15","v3.4.16","v3.4.17","v3.4.18","v3.4.19","v3.4.2","v3.4.20","v3.4.21","v3.4.22","v3.4.23","v3.4.3","v3.4.4","v3.4.5","v3.4.6","v3.4.7","v3.4.8","v3.4.9","v3.5.0","v3.5.1","v3.5.2","v3.5.3","v3.5.4","v3.5.5","v3.6.0","v3.6.1","v3.6.10","v3.6.11","v3.6.12","v3.6.13","v3.6.14","v3.6.15","v3.6.16","v3.6.17","v3.6.18","v3.6.19","v3.6.2","v3.6.20","v3.6.21","v3.6.22","v3.6.3","v3.6.4","v3.6.5","v3.6.6","v3.6.7","v3.6.8","v3.6.9","v3.7.0","v3.7.1","v3.7.10","v3.7.11","v3.7.12","v3.7.13","v3.7.14","v3.7.15","v3.7.16","v3.7.17","v3.7.18","v3.7.19","v3.7.2","v3.7.20","v3.7.21","v3.7.22","v3.7.24","v3.7.25","v3.7.26","v3.7.27","v3.7.28","v3.7.29","v3.7.3","v3.7.30","v3.7.4","v3.7.5","v3.7.6","v3.7.7","v3.7.8","v3.7.9","v4.0.0","v4.0.1","v4.0.2","v4.0.3","v4.1.0","v4.1.1","v4.1.10","v4.1.11","v4.1.13","v4.1.14","v4.1.15","v4.1.16","v4.1.17","v4.1.18","v4.1.19","v4.1.2","v4.1.3","v4.1.4","v4.1.5","v4.1.6","v4.1.7","v4.1.8","v4.1.9","v5.0.0","v5.0.1","v5.0.2","v5.1.0","v5.1.1","v5.1.10","v5.1.2","v5.1.3","v5.1.4","v5.1.5","v5.1.6","v5.1.7","v5.1.9","v5.2.0","v5.2.1","v5.2.10","v5.2.11","v5.2.2","v5.2.3","v5.2.4","v5.2.5","v5.2.6","v5.2.7","v5.2.8","v5.2.9","v5.3.0","v5.3.1","v5.3.10","v5.3.11","v5.3.12","v5.3.13","v5.3.14","v5.3.15","v5.3.16","v5.3.17","v5.3.18","v5.3.19","v5.3.2","v5.3.3","v5.3.4","v5.3.5","v5.3.6","v5.3.7","v5.3.8","v5.3.9","v5.4.0","v5.4.1","v5.4.10","v5.4.2","v5.4.3","v5.4.4","v5.4.5","v5.4.6","v5.4.7","v5.4.9","v6.0.0","v6.0.1","v6.0.10","v6.0.11","v6.0.2","v6.0.3","v6.0.4","v6.0.5","v6.0.6","v6.0.7","v6.0.8","v6.0.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-41668.json","vanir_signatures":[{"id":"CVE-2024-41668-0d06e2f5","target":{"function":"proxyOncokb","file":"src/main/java/org/cbioportal/proxy/ProxyController.java"},"deprecated":false,"source":"https://github.com/cbioportal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5","signature_type":"Function","digest":{"function_hash":"238874441046744172239768969093348959863","length":664},"signature_version":"v1"},{"id":"CVE-2024-41668-2327bc48","target":{"function":"getResourceStream","file":"src/main/java/org/cbioportal/proxy/ProxyController.java"},"deprecated":false,"source":"https://github.com/cbioportal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5","signature_type":"Function","digest":{"function_hash":"166124581723100463919540991221151501983","length":359},"signature_version":"v1"},{"id":"CVE-2024-41668-49baf616","target":{"function":"legacyProxyOncokb","file":"src/main/java/org/cbioportal/proxy/ProxyController.java"},"deprecated":false,"source":"https://github.com/cbioportal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5","signature_type":"Function","digest":{"function_hash":"76800250832716251250644907473172298692","length":381},"signature_version":"v1"},{"id":"CVE-2024-41668-954ddd36","target":{"file":"src/main/java/org/cbioportal/proxy/ProxyController.java"},"deprecated":false,"source":"https://github.com/cbioportal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["8354877051200179143885715019814167995","72902551453453994601450282133068433592","135827395203083931367040569756682611935","18548600988054522750782093557097390862","112211257960498706423123175625586661845","148766345394678077781696193336077211791","72223570526924517005209613040156459897","204432403054961511955038099375169281483","267118966942296435619347321477997971928","39917716663608181141736465198567593231","305335121461463043937057044381077956266","326932533834118964228308266445297821054","3758464119841610449366124403698280602","168092101465021717695833810349845288288","253238563998290816766496874999970737873","95223153768397238913085480492184576463","145060772487337941004386728651590509332","283951869101973464169259344206255403819","210956852007339621658987849372997160142","13568177450940027457379386503114833998","220969762108262327553331472298625139059","219858847519542479240904008556779363687","338356937399769817305536664144226453521","135043083403866673701594170477228093181","102708910527602459478824782428490500947","235493256509805757877837575425515173587","1838450600435645437807213326223068523","311982301745535983708004852235301468699","177933817490325708204341014397170054752","196362055903086841378029281786594054181","336186904764430584905803029872666036593","259702291865779899610467330553460525013","249165489594268425707324670149097010421","259280750076012808959141630493983774000","70396249472224727347146625628125271926","327077872392082455297238740354159009247","261258771608801193975908030506653046396","19711228540635705255693785010681309979","65899982903293132329473320864105094226","195707193699073760313831174810613990653","124332062058603657569178309585998293098","156593448092957614727213633838574806776","125902588296500553616911334504217644831","135748153207064906179650867736160208470","251766708223733774204674078062496463684","116132242844887654937026730063059000874","277184359444174292979413560249451519960","175647377744998651005936866523018914087","157318899888597408224580137104834486613","85663181714287677924210704068304069903","64274718598404650118185951498162554566","188292374726817759709904545680460622728","53036563161135920211317499648064277341","257506418723880822106781857295083894285","291398333416626106492059405111953077058","126438349394858955575471946305193116081","54743675216092119265544678838710793950","32293087934973129798924105547652987105","8671692575176623003781666295790871887","106388058172764832643611546392090845558","237372832122560731681815044539222612865","263536508753570317572460760414280305024","139799709574148996661811010171938209317","87407113120595751369552967913597597861","158490835128830315507637694755169260716","239250060498075521659663342884255419105","197142195094322652825965832275741783287","260993492727158696324375086209679962232","283907604332723483967936762641396439815","138042952853629368011895018935779574889","114940778428090411245254156749585490735","224733574064580313708612970795389068756","143883635632103900561784487296743508427","57657196577827041445961217379050884353","20350268626851155060413178453599354855","290396674159461984150954684565784527071","59891531092610484973916748844102728021","19721517004247828111536962117016804626","253837556512803838468432784938165475362","214899410150797638851707618659324806024","199248690576950491109308563139499721641","108611427212721053567490460099004993366","323658091525524919526299586186225972015","48003330313242537578296083376324978983","29498782237188282681149796935693081141","336408347358928856961986043291792375100","84817024728040376600323882131420764115","328086463338275044213974799726024192162","121741212233623446526354701526773591046","91583527215201956575026898824937672333","203176561898984189317864381306388329581","336545993650229207212457576731521981156","72605066940940105482441978494300034775","227629035929039151149534853771040721132","247117166964092623313424840819237673365","125534952303568367614587706973143550148","24722823720409637997248729103310620579","102431171181372344490612563828118282567","99986935915462254261954921131931594424","157647418324818693119227500814515445612","11395130075276978956110231771730223196"]},"signature_version":"v1"},{"id":"CVE-2024-41668-bd528b19","target":{"function":"loadProperties","file":"src/main/java/org/cbioportal/proxy/ProxyController.java"},"deprecated":false,"source":"https://github.com/cbioportal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5","signature_type":"Function","digest":{"function_hash":"121574912790120695669677442512621963020","length":244},"signature_version":"v1"},{"id":"CVE-2024-41668-edd6bf26","target":{"function":"proxy","file":"src/main/java/org/cbioportal/proxy/ProxyController.java"},"deprecated":false,"source":"https://github.com/cbioportal/cbioportal/commit/ea8642fdbda2d61d2ab34b9da7a1594680bbbcd5","signature_type":"Function","digest":{"function_hash":"247236920457912702755253625304329297215","length":409},"signature_version":"v1"}],"vanir_signatures_modified":"2026-04-12T08:40:55Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"}]}