CVE-2023-25753

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-25753

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-25753.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-25753

Aliases

GHSA-7w8v-5fcq-pvqw

Withdrawn

2024-09-03T04:41:24.273054Z

Published

2023-10-19T09:15:08Z

Modified

2024-09-02T20:55:33Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter.

Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing.

This issue affects Apache ShenYu: 2.5.1.

Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776 .

References

https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d

Affected packages

Git / github.com/apache/incubator-shenyu

Affected ranges

Type: GIT
Repo: https://github.com/apache/incubator-shenyu
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

52f7f77d35a42fc66be544ae10b9337ecd1c8739