CVE-2022-24969

MEDIUM6.1EPSS 2.4%

Server-side request forgery in Apache Dubbo

發布日:2022/6/10修改日:2023/11/8

描述

bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.

受影響套件(2)

Maven/com.alibaba:dubbo>= 2.5.0, < 2.6.12
Maven/org.apache.dubbo:dubbo>= 2.5.0, < 2.7.15

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

參考連結(4)

ADVISORYhttps://github.com/advisories/GHSA-gw4j-4229-q4px
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-25640
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-24969
WEBhttps://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr