PT-2021-16719 · Apache · Apache Dubbo

Bing Dong

Published

2021-05-31

Updated

2022-10-25

CVE-2021-25640

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Apache Dubbo versions prior to 2.6.9 and 2.7.9 Apache Dubbo versions prior to 2.6.9 and 2.7.10 Apache Dubbo versions prior to 2.6.12 and 2.7.15

However, to consolidate the ranges of affected versions into the most concise form and avoid redundant or overlapping statements, the above can be simplified to: Apache Dubbo versions prior to 2.6.12 and 2.7.15

Description The usage of the parseURL method in Apache Dubbo can lead to the bypass of the white host check, potentially causing open redirect or Server-Side Request Forgery (SSRF) issues.

Recommendations For versions prior to 2.6.12 and 2.7.15, update to version 2.6.12 or 2.7.15 or later to resolve the issue. As a temporary workaround, consider restricting the usage of the parseURL method until a patch is available.

Fix

SSRF

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918CWE-601

Related Identifiers

CVE-2021-25640

GHSA-GM48-83X4-84JG

GHSA-GW4J-4229-Q4PX

Affected Products

Apache Dubbo

PT-2021-16719 · Apache · Apache Dubbo

CVE-2021-25640

Weakness Enumeration

Related Identifiers

Affected Products

References · 10