CVE-2022-24969
Server-side request forgery in Apache Dubbo
6.1
MEDIUM
CVSS 3.1
EPSS 2.4%
Description
bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.
How to fix CVE-2022-24969
To remediate CVE-2022-24969, upgrade the affected package to a fixed version below.
- Maven/com.alibaba:dubbo—upgrade to 2.6.12 or later
- —upgrade to 2.7.15 or later
Is CVE-2022-24969 being exploited?
Low — EPSS is 2.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 2.5.0, < 2.6.12
- >= 2.5.0, < 2.7.15
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |