CVE-2022-24969: Server-side request forgery in Apache Dubbo

June 9, 2022 (updated June 15, 2022)

bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the allowed host check which can cause open redirect or SSRF vulnerability.

References

github.com/advisories/GHSA-gm48-83x4-84jg
github.com/advisories/GHSA-gw4j-4229-q4px
lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr
nvd.nist.gov/vuln/detail/CVE-2021-25640
nvd.nist.gov/vuln/detail/CVE-2022-24969

Detect and mitigate CVE-2022-24969 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →