CVE-2021-25640
Server-Side Request Forgery in Apache Dubbo
6.1
MEDIUM
CVSS 3.1
EPSS 0.70%
Description
In Apache Dubbo prior to 2.6.9 and 2.7.10, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.
How to fix CVE-2021-25640
To remediate CVE-2021-25640, upgrade the affected package to a fixed version below.
- Maven/com.alibaba:dubbo—upgrade to 2.6.9 or later
- —upgrade to 2.7.10 or later
Is CVE-2021-25640 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 2.5.0, < 2.6.9
- >= 2.5.0, < 2.7.10
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |