Description

In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.

Remediation

References

https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E

https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E

Related Vulnerabilities

CVE-2023-24443 Vulnerability in maven package org.jenkins-ci.plugins:testcomplete

CVE-2020-2212 Vulnerability in maven package org.jenkins-ci.plugins:github-coverage-reporter

CVE-2023-33944 Vulnerability in maven package com.liferay.portal:release.portal.bom

CVE-2023-30429 Vulnerability in maven package org.apache.pulsar:pulsar-broker-common

CVE-2022-22969 Vulnerability in maven package org.springframework.security.oauth:spring-security-oauth

Severity

High

Classification

CWE-601 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Mailing List Vendor Advisory