CVE-2021-25640 — Server-Side Request Forgery in Software Foundation Apache Dubbo

CWE-918 — Server-Side Request Forgery CWE-601 — Open Redirect6 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.7%

top 27.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Dubbo Apache Dubbo

Timeline

PublishedJun 1

Latest updateJun 10

Description

In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDapache/dubbo2.5.0 — 2.6.9+1

▶CVEListV5apache_software_foundation/apache_dubboApache Dubbo 2.7.x — 2.7.9+3

🔴Vulnerability Details

GHSA

Server-side request forgery in Apache Dubbo↗2022-06-10

▶

OSV

Server-Side Request Forgery in Apache Dubbo↗2022-03-18

▶

GHSA

Server-Side Request Forgery in Apache Dubbo↗2022-03-18

▶

CVEList

Open Redirect or SSRF vulnerability usage of parseURL↗2021-05-31

▶

💬Community

Bugzilla

CVE-2020-25640 wildfly: resource adapter logs plaintext JMS password at warning level on connection error↗2020-09-22

▶