Description

In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.

Remediation

References

https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E

Related Vulnerabilities

CVE-2020-13692 Vulnerability in maven package org.postgresql:postgresql

CVE-2020-9486 Vulnerability in maven package org.apache.nifi:nifi-security-utils

CVE-2023-36469 Vulnerability in maven package org.xwiki.platform:xwiki-platform-notifications-ui

CVE-2020-2221 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2023-51656 Vulnerability in maven package org.apache.iotdb:iotdb-server

Severity

High

Classification

CWE-601 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Mailing List Vendor Advisory