Hi, Sorry to bother you. I wonder if you can add credit for https://github.com/advisories/GHSA-gw4j-4229-q4px about this cve. The process would be simple, can refer to https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/editing-a-repository-security-advisory#about-credits-for-security-advisories .
My github username is *madneal*. Looking forward to hearing from you. Thanks. On Mon, May 31, 2021 at 2:43 PM Jun Liu <liu...@apache.org> wrote: > Hi > > Severity: low > > Vendor: > The Dubbo Project Team > > Versions Affected: > Dubbo 2.7.0 to 2.7.9 > Dubbo 2.6.0 to 2.6.9 > Dubbo all 2.5.x versions (not supported by official team any longer) > > Description: > The usage of parseURL method will lead to the bypass of white host check > which can cause open redirect or SSRF vulnerability. Evil URL sample: > https://evilhost#@whitehost > > Mitigation: > Upgrade to 2.7.10+ or 2.6.9+ accordingly based on the version currently > using. > https://github.com/apache/dubbo/releases/tag/dubbo-2.7.10 > https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10 > https://dubbo.apache.org/en/blog/2020/05/18/past-releases/ > > Credit: > This issue was first reported by Bing Dong > > Jun >
