CVE-2022-24969

Server-side request forgery in Apache Dubbo in maven/com.alibaba/dubbo

Identifiers

GHSA-gm48-83x4-84jg, CVE-2022-24969

Package Slug

maven/com.alibaba/dubbo

Vulnerability

Server-side request forgery in Apache Dubbo

Description

bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the allowed host check which can cause open redirect or SSRF vulnerability.

Affected Versions

All versions starting from 2.5.0 before 2.6.12

Solution

Upgrade to version 2.6.12 or above.

Last Modified

2022-06-13

source