Description

In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.

Remediation

References

https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E

https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E

Related Vulnerabilities

CVE-2019-10446 Vulnerability in maven package org.jenkins-ci.plugins:vmanager-plugin

CVE-2022-45693 Vulnerability in maven package org.codehaus.jettison:jettison

CVE-2015-8855 Vulnerability in maven package org.webjars.bower:semver

CVE-2019-16561 Vulnerability in maven package org.jenkins-ci.plugins:websphere-deployer

CVE-2023-49674 Vulnerability in maven package io.jenkins.plugins:neuvector-vulnerability-scanner

Severity

High

Classification

CWE-601 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Mailing List Vendor Advisory