{
  "schema_version": "1.4.0",
  "id": "GHSA-q348-f93x-9gx4",
  "modified": "2021-04-28T22:29:16Z",
  "published": "2021-04-29T21:53:06Z",
  "aliases": [
    "CVE-2021-30492"
  ],
  "summary": "Lack of Input Validation in zendesk_api_client_php for Zendesk Subdomain",
  "details": "### Impact\nLack of input validation of the Zendesk subdomain could expose users of the library to Server Side Request Forgery (SSRF).\n\n### Resolution\nValidate the provided Zendesk subdomain to be a valid subdomain in:\n* getAuthUrl\n* getAccessToken",
  "severity": [],
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zendesk/zendesk_api_client_php"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.11"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zendesk/zendesk_api_client_php/security/advisories/GHSA-q348-f93x-9gx4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendesk/zendesk_api_client_php/pull/466"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zendesk/zendesk_api_client_php/commit/b451b743d9d6d81a9abf7cb86e70ec9c5332123e"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-918"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-28T22:29:16Z",
    "nvd_published_at": null
  }
}