CVE ID Request - bramw/baserow

Vulnerability Submission

NOTE: Only maintainers of GitLab-hosted projects may request a CVE for a vulnerability within their project.

Project issue: bramw/baserow#370

Publishing Schedule

After a CVE request is validated, a CVE identifier will be assigned. On what schedule should the details of the CVE be published?

• Publish immediately
• Wait to publish

---
reporter:
  name: "Bram Wiepjes"
  email: "bram@baserow.io"
vulnerability:
  description: "SSRF in URL file upload in Baserow <1.1.0 allows remote authenticated
    users to retrieve files from the internal server network exposed over HTTP by
    inserting an internal address."
  cwe: "CWE-918"
  product:
    gitlab_path: "bramw/baserow"
    vendor: "Baserow B.V."
    name: "Baserow"
    affected_versions:
    - ">0.6.0, <1.1.0"
    fixed_versions:
    - "1.1.0"
  impact: "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"
  solution: Upgrade to version 1.1.0 or above.
  credit: "Thanks [CaptainFreak](https://github.com/CaptainFreak) for reporting this
    vulnerability and for advising how to fix it."
  references:
  - "https://gitlab.com/bramw/baserow/-/issues/370"
  - "https://baserow.io/blog/march-2021-release-of-baserow"

CVSS scores can be computed by means of the NVD CVSS Calculator.