Server-side Request Forgery (SSRF) Affecting org.apache.shenyu:shenyu-admin package, versions [,2.6.0)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGAPACHESHENYU-6009151
- published 19 Oct 2023
- disclosed 19 Oct 2023
- credit by3
Introduced: 19 Oct 2023
CVE-2023-25753 Open this link in a new tabHow to fix?
Upgrade org.apache.shenyu:shenyu-admin
to version 2.6.0 or higher.
Overview
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the /sandbox/proxyGateway
endpoint. An attacker can manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl
parameter. This effectively grants the attacker the capability to dispatch complete HTTP requests to hosts of their choosing.
Note:
This is only exploitable if the HTTP method, cookies, IP address, and headers are under the attacker's control.