Home > Vulnerability Database > CVE-2023-25753

Mend.io Vulnerability Database

CVE-2023-25753

Good to know:

Date: October 19, 2023

There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing. This issue affects Apache ShenYu: 2.5.1. Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776 .

Language: Java

Severity Score

6.5

Related Resources (5)

Url: https://github.com/apache/shenyu/commit/1fd33d5aa032e8e71e7e40b229d74e9f88745923

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-25753

Url: https://seclists.org/oss-sec/2023/q4/148

Url: https://lists.apache.org/thread/chprswxvb22z35vnoxv9tt3zknsm977d

Url: https://www.mend.io/vulnerability-database/CVE-2023-25753

Severity Score

6.5

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version org.apache.shenyu:shenyu-common:2.6.0;org.apache.shenyu:shenyu-admin:2.6.0

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-25753

Good to know:

Date: October 19, 2023

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?