You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@dubbo.apache.org by Neal Caffery <bi...@gmail.com> on 2023/01/12 01:27:31 UTC
Re: [CVE-2021-25640] Open Redirect or SSRF vulnerability usage of parseURL
Hi,
Sorry to bother you. I wonder if you can add credit for
https://github.com/advisories/GHSA-gw4j-4229-q4px about this cve. The
process would be simple, can refer to
https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories
.
My github username is *madneal*. Looking forward to hearing from you.
Thanks.
On Mon, May 31, 2021 at 2:43 PM Jun Liu <li...@apache.org> wrote:
> Hi
>
> Severity: low
>
> Vendor:
> The Dubbo Project Team
>
> Versions Affected:
> Dubbo 2.7.0 to 2.7.9
> Dubbo 2.6.0 to 2.6.9
> Dubbo all 2.5.x versions (not supported by official team any longer)
>
> Description:
> The usage of parseURL method will lead to the bypass of white host check
> which can cause open redirect or SSRF vulnerability. Evil URL sample:
> https://evilhost#@whitehost
>
> Mitigation:
> Upgrade to 2.7.10+ or 2.6.9+ accordingly based on the version currently
> using.
> https://github.com/apache/dubbo/releases/tag/dubbo-2.7.10
> https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10
> https://dubbo.apache.org/en/blog/2020/05/18/past-releases/
>
> Credit:
> This issue was first reported by Bing Dong
>
> Jun
>
Re: [CVE-2021-25640] Open Redirect or SSRF vulnerability usage of parseURL
Posted by Arnout Engelen <en...@apache.org>.
Hello Neal,
Thanks for your asking! Unfortunately, it looks like this is a
'global' advisory, and only 'repository' advisories have a 'credits'
field.
This raises the question of whether we would like to support
publishing 'repository' advisories for Apache projects to GitHub. I
brought up that question on the security-discuss list[0] and reached
out to GitHub, to see if they have the necessary infrastructure to
provide such advisories programmatically from the advisory tooling we
use at Apache.
Kind regards,
Arnout
[0]: https://lists.apache.org/thread/x4hx4nbp5tr4djgcsh4zlnryr4mmwlhp
On Thu, Jan 12, 2023 at 2:27 AM Neal Caffery <bi...@gmail.com> wrote:
>
> Hi,
>
> Sorry to bother you. I wonder if you can add credit for https://github.com/advisories/GHSA-gw4j-4229-q4px about this cve. The process would be simple, can refer to https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories.
>
> My github username is madneal. Looking forward to hearing from you. Thanks.
>
> On Mon, May 31, 2021 at 2:43 PM Jun Liu <li...@apache.org> wrote:
>>
>> Hi
>>
>> Severity: low
>>
>> Vendor:
>> The Dubbo Project Team
>>
>> Versions Affected:
>> Dubbo 2.7.0 to 2.7.9
>> Dubbo 2.6.0 to 2.6.9
>> Dubbo all 2.5.x versions (not supported by official team any longer)
>>
>> Description:
>> The usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability. Evil URL sample: https://evilhost#@whitehost
>>
>> Mitigation:
>> Upgrade to 2.7.10+ or 2.6.9+ accordingly based on the version currently using.
>> https://github.com/apache/dubbo/releases/tag/dubbo-2.7.10
>> https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10
>> https://dubbo.apache.org/en/blog/2020/05/18/past-releases/
>>
>> Credit:
>> This issue was first reported by Bing Dong
>>
>> Jun