Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apicurio/apicurio-registry: apicurio-registry: ssrf via wsdl4j import dereference in wsdl full validation
Vulnerability Description
A flaw was found in Apicurio Registry. The WSDLReaderAccessor creates a wsdl4j WSDLReader without disabling the javax.wsdl.importDocuments feature. When the VALIDITY rule is set to FULL, an attacker with Developer-role access can upload a WSDL document containing attacker-controlled import locations, causing the registry to issue HTTP requests to arbitrary internal URLs (server-side request forgery).
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
Red Hat Apicurio Registry 服务端请求伪造漏洞
Vulnerability Description
Red Hat Apicurio Registry是美国Red Hat公司的一款用于管理与版本控制API模式与事件数据结构的开源注册中心。 Red Hat Apicurio Registry存在服务端请求伪造漏洞,该漏洞源于WSDLReaderAccessor未禁用javax.wsdl.importDocuments特性,设置VALIDITY规则为FULL时,具有Developer角色的攻击者可通过上传包含攻击者控制导入位置的WSDL文档,导致注册表向任意内部URL发出HTTP请求。
CVSS Information
N/A
Vulnerability Type
N/A