SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918 This vulnerability could allow an attacker to force the server to create and execute a web request granting access to backend APIs that are only accessible to the Mimosa MMP server, or request pages that could perform some actions themselves. The attacker could force the server into accessing routes on those cloud-hosting platforms, accessing secret keys, changing configurations, etc.

Successful exploitation of these vulnerabilities could allow an attacker to gain user data (including organization details) and other sensitive data, compromise Mimosa’s AWS (Amazon Web Services) cloud EC2 instance and S3 Buckets, and execute unauthorized remote code on all cloud-connected Mimosa devices.

Risk Information

  • CVE ID
  • CVE-2022-21215
  • Vendor
  • Airspan Networks
  • Product
  • Mimosa
  • CVSS v3
  • 10