CVE-2024-2796: Critical Vulnerability Discovered in Popular API Developer Portal

Security researcher Jakob Antonsson has uncovered a critical vulnerability (CVE-2024-2796) within the Perforce Akana Community Manager Developer Portal. This software is widely used by organizations to build and manage developer portals for their APIs. The vulnerability rated 9.3 (Critical) on the CVSS scale, could allow attackers to perform server-side request forgery (SSRF) attacks.

What is Server-Side Request Forgery?

In an SSRF attack, a malicious actor manipulates a web server into making requests to unintended or unauthorized locations. This can lead to several harmful consequences:

• Data Exposure: Attackers could trick the vulnerable server into sending requests to internal systems, potentially exposing sensitive data.
• Network Mapping: SSRF attacks could be used to map out internal networks, aiding attackers in further compromise.
• Remote Code Execution: In severe cases, SSRF vulnerabilities could allow attackers to execute arbitrary code on the vulnerable server.

Affected Versions

The following versions of the Perforce Akana Community Manager Developer Portal are confirmed affected:

• 2022.1.1
• 2022.1.2
• 2022.1.3

Urgent Action Required

Organizations using the Akana Community Manager Developer Portal are strongly advised to upgrade to one of the patched versions immediately:

• 2022.1.1 (Patched)
• 2022.1.2 (Patched)
• 2022.1.3 (Patched)

Perforce has released patches to address this vulnerability. Failure to patch leaves systems open to potential exploitation by cybercriminals.