CVE-2022-24969 – com.alibaba:dubbo

Package

Manager: maven
Name: com.alibaba:dubbo
Vulnerable Version: >=2.5.0 <2.6.12

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.02268 pctl0.84023

Details

Server-side request forgery in Apache Dubbo bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.

Metadata

Created: 2022-06-10T00:00:56Z
Modified: 2022-06-17T19:20:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-gm48-83x4-84jg/GHSA-gm48-83x4-84jg.json
CWE IDs: ["CWE-601", "CWE-918"]
Alternative ID: GHSA-gm48-83x4-84jg
Finding: F100
Auto approve: 1