What is CVE-2023-25753?

CVE-2023-25753 is an SSRF (Server-Side Request Forgery) vulnerability in Apache ShenYu that allows manipulation of arbitrary requests and retrieval of corresponding responses.

Where is the SSRF vulnerability located?

The SSRF vulnerability is located at the /sandbox/proxyGateway endpoint.

Which versions of Apache ShenYu are affected?

Versions up to and including 2.6.0 of org.apache.shenyu:shenyu-common and org.apache.shenyu:shenyu-admin are affected.

How can I fix the CVE-2023-25753 vulnerability?

To fix the vulnerability, update org.apache.shenyu:shenyu-common and org.apache.shenyu:shenyu-admin to version 2.6.0 (exclusive).

Vulnerability/
CVE-2023-25753

medium

6.5

CWE

918

19/10/2023

12/9/2024

CVE-2023-25753: Server-Side Request Forgery in Apache ShenYu

First published: Thu Oct 19 2023(Updated: )

There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint. This vulnerability allows us to manipulate arbitrary requests and retrieve corresponding responses by inputting any URL into the requestUrl parameter. Of particular concern is our ability to exert control over the HTTP method, cookies, IP address, and headers. This effectively grants us the capability to dispatch complete HTTP requests to hosts of our choosing. This issue affects Apache ShenYu: 2.5.1. Upgrade to Apache ShenYu 2.6.0 or apply patch https://github.com/apache/shenyu/pull/4776 .

Credit: security@apache.org security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
Apache ShenYu	=2.5.1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-25753?
CVE-2023-25753 is an SSRF (Server-Side Request Forgery) vulnerability in Apache ShenYu that allows manipulation of arbitrary requests and retrieval of corresponding responses.
Where is the SSRF vulnerability located?
The SSRF vulnerability is located at the /sandbox/proxyGateway endpoint.
How can the SSRF vulnerability be exploited?
The vulnerability can be exploited by inputting any URL into the requestUrl parameter at the /sandbox/proxyGateway endpoint.
Which versions of Apache ShenYu are affected?
Versions up to and including 2.6.0 of org.apache.shenyu:shenyu-common and org.apache.shenyu:shenyu-admin are affected.
How can I fix the CVE-2023-25753 vulnerability?
To fix the vulnerability, update org.apache.shenyu:shenyu-common and org.apache.shenyu:shenyu-admin to version 2.6.0 (exclusive).

collector/oss-sec
alias/CVE-2023-25753
collector/nvd-index
collector/nvd-api
collector/nvd-cve
collector/github-advisory-latest
alias/GHSA-7w8v-5fcq-pvqw
collector/github-advisory
agent/type
agent/first-publish-date
agent/references
agent/softwarecombine
agent/weakness
agent/title
agent/severity
agent/author
agent/description
agent/tags
agent/event
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/trending
vendor/apache
canonical/apache shenyu
version/apache shenyu/2.5.1
package-manager/maven

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.