CVE-2022-24969

MEDIUM6.1EPSS 2.4%

Server-side request forgery in Apache Dubbo

Published: 6/10/2022Modified: 11/8/2023

Description

bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.

Affected packages (2)

Maven/com.alibaba:dubbo>= 2.5.0, < 2.6.12
Maven/org.apache.dubbo:dubbo>= 2.5.0, < 2.7.15

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYhttps://github.com/advisories/GHSA-gw4j-4229-q4px
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-25640
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-24969
WEBhttps://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr