Vulnerability Description
In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.
CVSS Score
6.1
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Dubbo | >= 2.5.0, < 2.6.9 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fMailing ListVendor Advisory
- https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fMailing ListVendor Advisory
- https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fMailing ListVendor Advisory
- https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fMailing ListVendor Advisory
FAQ
What is CVE-2021-25640?
CVE-2021-25640 is a vulnerability with a CVSS score of 6.1 (MEDIUM). In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.
How severe is CVE-2021-25640?
CVE-2021-25640 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-25640?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Dubbo.