Hi Severity: low
Vendor: The Dubbo Project Team Versions Affected: Dubbo 2.7.0 to 2.7.9 Dubbo 2.6.0 to 2.6.9 Dubbo all 2.5.x versions (not supported by official team any longer) Description: The usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability. Evil URL sample: https://evilhost#@whitehost Mitigation: Upgrade to 2.7.10+ or 2.6.9+ accordingly based on the version currently using. https://github.com/apache/dubbo/releases/tag/dubbo-2.7.10 https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10 https://dubbo.apache.org/en/blog/2020/05/18/past-releases/ Credit: This issue was first reported by Bing Dong Jun
