CVE-2021-25640
MEDIUM6.1EPSS 0.70%Server-Side Request Forgery in Apache Dubbo
Published: 3/18/2022Modified: 11/8/2023
Description
In Apache Dubbo prior to 2.6.9 and 2.7.10, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.
Affected packages (2)
- Maven/com.alibaba:dubbo>= 2.5.0, < 2.6.9
- Maven/org.apache.dubbo:dubbo>= 2.5.0, < 2.7.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (3)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-25640
- WEBhttps://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77@%3Cdev.dubbo.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E