GHSA-gm48-83x4-84jg

Source

https://github.com/advisories/GHSA-gm48-83x4-84jg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-gm48-83x4-84jg/GHSA-gm48-83x4-84jg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gm48-83x4-84jg

Aliases

CVE-2022-24969

Published

2022-06-10T00:00:56Z

Modified

2023-11-08T04:08:40.767472Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Server-side request forgery in Apache Dubbo

Details

bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-601",
        "CWE-918"
    ],
    "github_reviewed_at": "2022-06-10T19:53:04Z",
    "nvd_published_at": "2022-06-09T16:15:00Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven / org.apache.dubbo:dubbo

Package

Name: org.apache.dubbo:dubbo; View open source insights on deps.dev
Purl: pkg:maven/org.apache.dubbo/dubbo

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.5.0

Fixed

2.7.15

Affected versions

2.*

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.4.1

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.10

2.7.11

2.7.12

2.7.13

2.7.14

Maven / com.alibaba:dubbo

Package

Name: com.alibaba:dubbo; View open source insights on deps.dev
Purl: pkg:maven/com.alibaba/dubbo

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.5.0

Fixed

2.6.12

Affected versions

2.*

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.5.9

2.5.10

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

2.6.10.1

2.6.11