CVE-2022-24969

CWE-918 — Server-Side Request Forgery (SSRF)CWE-601 — Open Redirect4 documents4 sources

Severity

6.1MEDIUM

EPSS

2.4%

top 14.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Dubbo Apache Dubbo

Timeline

PublishedJun 9

Latest updateJun 10

Description

bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶NVDapache/dubbo2.7.0 — 2.7.15+1

▶Mavenorg.apache.dubbo:dubbo2.5.0 — 2.7.15

▶CVEListV5apache_software_foundation/apache_dubboApache Dubbo 2.7.x — 2.7.15+1

▶Mavencom.alibaba:dubbo2.5.0 — 2.6.12

🔴Vulnerability Details

OSV

Server-side request forgery in Apache Dubbo↗2022-06-10

▶

GHSA

Server-side request forgery in Apache Dubbo↗2022-06-10

▶

CVEList

bypass of CVE-2021-25640↗2022-06-06

▶