Description
In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.
Remediation
References
https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E
https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E
Related Vulnerabilities
CVE-2023-49382 Vulnerability in maven package com.jfinal:jfinal
CVE-2023-37895 Vulnerability in maven package org.apache.jackrabbit:jackrabbit-standalone-components
CVE-2019-1003089 Vulnerability in maven package ren.helloworld:upload-pgyer
CVE-2021-28165 Vulnerability in maven package org.eclipse.jetty:jetty-io
CVE-2020-2262 Vulnerability in maven package org.jenkins-ci.plugins:android-lint