Sergey Volosatov

**Name of the Vulnerable Software and Affected Versions** Apache Kvrocks versions 1.0 through 2.11.0 **Description** A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Since Kvrocks did not detect if `Host:` or `POST` appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when chained with SSRF. This issue is similar to a previously identified vulnerability in Redis. **Recommendations** For Apache Kvrocks versions 1.0 through 2.11.0, upgrade to version 2.11.1, which fixes the issue. As a temporary workaround, consider restricting access to the database operations that can be triggered by the vulnerability until the update is applied.