Apache Kvrocks 跨协议脚本漏洞(CVE-2025-25069)
Apache Kvrocks存在跨协议脚本漏洞(CVE-2025-25069),影响至2.11.0版本。因未检测HTTP头信息,HTTP请求可被误认为RESP请求触发数据库操作,结合SSRF有风险。建议升级至2.11.1修复。 2025-2-7 17:47:0 Author: seclists.org(查看原文) 阅读量:25 收藏
Apache Kvrocks存在跨协议脚本漏洞(CVE-2025-25069),影响至2.11.0版本。因未检测HTTP头信息,HTTP请求可被误认为RESP请求触发数据库操作,结合SSRF有风险。建议升级至2.11.1修复。 2025-2-7 17:47:0 Author: seclists.org(查看原文) 阅读量:25 收藏
oss-sec mailing list archives
From: Mingyang Liu <twice () apache org>
Date: Fri, 07 Feb 2025 12:31:57 +0000
Severity: Moderate Affected versions: - Apache Kvrocks through 2.11.0 Description: A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks. Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when it is chained with SSRF. It is similiar to CVE-2016-10517 in Redis. This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0. Users are recommended to upgrade to version 2.11.1, which fixes the issue. Credit: Sergey Volosatov (reporter) References: https://www.cve.org/CVERecord?id=CVE-2016-10517 https://kvrocks.apache.org https://www.cve.org/CVERecord?id=CVE-2025-25069
Current thread:
- CVE-2025-25069: Apache Kvrocks: Cross-Protocol Scripting Vulnerability Mingyang Liu (Feb 07)
文章来源: https://seclists.org/oss-sec/2025/q1/117
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh