Exposure of sensitive information to an unauthorized actor (private IP address)

Description

A private RFC 1918/RFC 4193 address was identified in the target application. Public facing websites should not be issuing requests to private IP Addresses. Attackers attempting to execute subsequent attacks, such as Server-Side Request Forgery (SSRF), may be able to use this information to identify additional internal targets.

Remediation

Identify the resource that is incorrectly specifying an internal IP address and replace it with it’s public facing version, or remove the reference from the target application.

Details

IDAggregatedCWETypeRisk
200.1true200PassiveLow