GHSA-287c-fxr7-3w6c

Source

https://github.com/advisories/GHSA-287c-fxr7-3w6c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-287c-fxr7-3w6c/GHSA-287c-fxr7-3w6c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-287c-fxr7-3w6c

Aliases

CVE-2026-42404

Related

CGA-9c65-97pv-f3rg

Published

2026-05-01T12:30:24Z

Modified

2026-05-12T16:59:17.184742913Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Apache Neethi doesn't impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API

Details

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden.

Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Database specific

{
    "nvd_published_at": "2026-05-01T11:16:19Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "github_reviewed_at": "2026-05-07T02:54:54Z",
    "github_reviewed": true,
    "severity": "MODERATE"
}

References

Affected packages

Maven / org.apache.neethi:neethi

Package

Name: org.apache.neethi:neethi; View open source insights on deps.dev
Purl: pkg:maven/org.apache.neethi/neethi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.2

Affected versions

2.*

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.1.0

3.1.1

3.2.0

3.2.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-287c-fxr7-3w6c/GHSA-287c-fxr7-3w6c.json"