📄 الوصف (الإنجليزية)
A vulnerability was detected in kalcaddle kodbox up to 1.64. This affects an unknown function of the component shareMake/shareCheck. Performing a manipulation of the argument siteFrom/siteTo results in server-side request forgery. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
🤖 ملخص AI
CVE-2026-5618 is a Server-Side Request Forgery (SSRF) vulnerability in Kalcaddle Kodbox versions up to 1.64 affecting the shareMake/shareCheck component. The vulnerability allows remote attackers to manipulate siteFrom/siteTo parameters to perform unauthorized requests from the server. With a CVSS score of 5.6 (medium) and public exploit availability, this poses a moderate risk to organizations using vulnerable Kodbox instances, particularly those handling sensitive document sharing.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: May 25, 2026 00:37
🇸🇦 التأثير على المملكة العربية السعودية
This SSRF vulnerability poses significant risk to Saudi government entities, financial institutions, and enterprises using Kodbox for document management and collaboration. Government agencies (under NCA oversight) and SAMA-regulated financial institutions are particularly vulnerable if Kodbox is used for internal document sharing. The vulnerability could enable attackers to access internal resources, bypass network segmentation, and potentially reach critical infrastructure systems. Healthcare organizations and energy sector entities using Kodbox for secure document exchange are also at elevated risk. The lack of vendor response increases the severity for Saudi organizations relying on this platform.
🏢 القطاعات السعودية المتأثرة
Government (NCA-regulated entities)
Banking and Financial Services (SAMA-regulated)
Healthcare
Energy (ARAMCO and related)
Telecommunications (STC and related)
Education
Enterprise/Corporate
Legal Services
🎯 تقنيات MITRE ATT&CK
T1190 - Exploit Public-Facing Application
T1557 - Man-in-the-Middle (potential for internal traffic interception)
T1570 - Lateral Tool Transfer (SSRF to access internal resources)
T1021 - Remote Services (access to internal services via SSRF)
T1040 - Traffic Sniffing (potential internal network reconnaissance)
T1046 - Network Service Discovery (via SSRF to internal services)
⚖️ درجة المخاطر السعودية (AI)
6.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all Kodbox instances in your environment running versions up to 1.64
2. Audit shareMake/shareCheck functionality logs for suspicious siteFrom/siteTo parameter manipulation
3. Implement network segmentation to restrict outbound requests from Kodbox servers
4. Monitor for SSRF indicators: unusual outbound connections, internal IP access attempts, metadata service access
Patching Guidance:
1. Contact Kalcaddle for security updates or consider alternative document management solutions
2. If patching unavailable, implement input validation on siteFrom/siteTo parameters
3. Whitelist allowed domains for share operations
4. Disable shareMake/shareCheck functionality if not required
Compensating Controls:
1. Deploy Web Application Firewall (WAF) rules to detect SSRF patterns in share parameters
2. Implement strict egress filtering on Kodbox server network interfaces
3. Use proxy/firewall to block internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16)
4. Enable detailed logging and alerting for share operations
5. Restrict Kodbox service account privileges
Detection Rules:
1. Alert on siteFrom/siteTo parameters containing: localhost, 127.0.0.1, internal IPs, cloud metadata endpoints (169.254.169.254)
2. Monitor for unusual outbound connections from Kodbox processes
3. Track failed share operations with suspicious parameter values
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ Kodbox في بيئتك التي تعمل بالإصدارات حتى 1.64
2. تدقيق سجلات وظائف shareMake/shareCheck للتلاعب المريب بمعاملات siteFrom/siteTo
3. تنفيذ تقسيم الشبكة لتقييد الطلبات الصادرة من خوادم Kodbox
4. مراقبة مؤشرات SSRF: الاتصالات الصادرة غير العادية، محاولات الوصول إلى IP الداخلية، الوصول إلى خدمات البيانات الوصفية
إرشادات التصحيح:
1. التواصل مع Kalcaddle للحصول على تحديثات أمان أو النظر في حلول إدارة المستندات البديلة
2. إذا لم يكن التصحيح متاحاً، تنفيذ التحقق من صحة الإدخال على معاملات siteFrom/siteTo
3. إدراج النطاقات المسموحة في قائمة بيضاء لعمليات المشاركة
4. تعطيل وظائف shareMake/shareCheck إذا لم تكن مطلوبة
الضوابط البديلة:
1. نشر قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن أنماط SSRF في معاملات المشاركة
2. تنفيذ تصفية الخروج الصارمة على واجهات شبكة خادم Kodbox
3. استخدام وكيل/جدار حماية لحظر نطاقات IP الداخلية
4. تفعيل السجلات التفصيلية والتنبيهات لعمليات المشاركة
5. تقييد امتيازات حساب خدمة Kodbox
قواعد الكشف:
1. التنبيه على معاملات siteFrom/siteTo التي تحتوي على: localhost، 127.0.0.1، IPs داخلية، نقاط نهاية البيانات الوصفية السحابية
2. مراقبة الاتصالات الصادرة غير العادية من عمليات Kodbox
3. تتبع عمليات المشاركة الفاشلة بقيم معاملات مريبة
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies (incident response for SSRF)
A.5.2.1 - Access Control (restrict Kodbox service privileges)
A.5.3.1 - Cryptography (secure communication for share operations)
A.5.4.1 - Physical and Environmental Security (network segmentation)
A.5.5.1 - Operations Security (monitoring and logging of share functions)
A.5.6.1 - Communications Security (egress filtering)
🔵 SAMA CSF
ID.AM-2 - Asset Management (identify Kodbox instances)
PR.AC-1 - Access Control (restrict outbound requests)
PR.DS-1 - Data Security (protect document sharing)
DE.CM-1 - Detection and Analysis (monitor SSRF indicators)
RS.MI-1 - Response Mitigation (implement compensating controls)
🟡 ISO 27001:2022
A.5.1.1 - Information security policies and procedures
A.5.2.1 - User access management
A.5.3.1 - Cryptography
A.5.4.1 - Physical and environmental security
A.5.5.1 - Operations security
A.5.6.1 - Communications security
A.5.7.1 - System acquisition, development and maintenance
A.5.8.1 - Supplier relationships
A.5.9.1 - Information security incident management
🟣 PCI DSS v4.0.1
Requirement 1.3 - Prohibit direct public access between the Internet and any system component in the cardholder data environment (if Kodbox handles payment data)
Requirement 6.5.1 - Injection flaws (SSRF is a form of injection)
Requirement 10.3 - Track and monitor all access to cardholder data environment assets