SSRF in Apache Dubbo
CVE-2021-25640
In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.
Vulnerability class: SSRF (Server-Side Request Forgery)
EPSS: 0.021 (79.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.1 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.
Affected products
- Apache Dubbo
- Apache Software Foundation Dubbo — versions Apache Dubbo 2.7.x, Apache Dubbo 2.6.x
Weakness classification (CWE)
References
- security@apache.org (Mailing List, x_refsource_MISC, Vendor Advisory)
Frequently asked questions
- What is CVE-2021-25640?
- CVE-2021-25640 is a medium-severity vulnerability in Apache Dubbo, classified under Server-Side Request Forgery (SSRF). CVSS score: 6.1/10. Published 2021-06-01.
- How severe is CVE-2021-25640?
- Medium severity. CVSS v3 base score is 6.1 out of 10.