Severity: low Vendor: The Dubbo Project Team
Versions Affected: Dubbo 2.7.0 to 2.7.14 Dubbo 2.6.0 to 2.6.12 Description: The fix of CVE-2021-25640 can be bypassed by certain means. As stated in CVE-2021-25640, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability. Mitigation: Upgrade to 2.7.15 or the latest 3.0.x accordingly based on the version currently using. https://github.com/apache/dubbo/releases/tag/dubbo-2.7.15 <https://github.com/apache/dubbo/releases/tag/dubbo-2.7.15>https://github.com/apache/dubbo/releases/tag/dubbo-3.0.8 <https://github.com/apache/dubbo/releases/tag/dubbo-3.0.8> Credit: This issue was first reported by Oleg