Maven package
com.alibaba/dubbo
pkg:maven/com.alibaba/dubbo
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-24969 | — | >= 2.5.0, < 2.6.12 | 2.6.12 | Jun 6, 2022 | bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability. | ||
| CVE-2021-30179 | — | >= 2.5.0, < 2.6.9 | 2.6.9 | May 31, 2021 | Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Ja | ||
| CVE-2021-25640 | — | >= 2.5.0, < 2.6.9 | 2.6.9 | May 31, 2021 | In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability. | ||
| CVE-2021-30181 | — | >= 2.5.0, < 2.6.9 | 2.6.9 | May 29, 2021 | Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use Scri | ||
| CVE-2021-25641 | — | >= 2.5.0, < 2.6.9 | 2.6.9 | May 29, 2021 | Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka |
- CVE-2022-24969Jun 6, 2022affected >= 2.5.0, < 2.6.12fixed 2.6.12
bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.
- CVE-2021-30179May 31, 2021affected >= 2.5.0, < 2.6.9fixed 2.6.9
Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Ja
- CVE-2021-25640May 31, 2021affected >= 2.5.0, < 2.6.9fixed 2.6.9
In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.
- CVE-2021-30181May 29, 2021affected >= 2.5.0, < 2.6.9fixed 2.6.9
Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use Scri
- CVE-2021-25641May 29, 2021affected >= 2.5.0, < 2.6.9fixed 2.6.9
Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka