CVE-2021-25640 – com.alibaba:dubbo

Package

Manager: maven
Name: com.alibaba:dubbo
Vulnerable Version: >=2.5.0 <2.6.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00398 pctl0.59804

Details

Server-Side Request Forgery in Apache Dubbo In Apache Dubbo prior to 2.6.9 and 2.7.10, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.

Metadata

Created: 2022-03-18T17:56:45Z
Modified: 2022-03-18T17:56:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-gw4j-4229-q4px/GHSA-gw4j-4229-q4px.json
CWE IDs: ["CWE-601", "CWE-918"]
Alternative ID: GHSA-gw4j-4229-q4px
Finding: F100
Auto approve: 1