Apache Kvrocks Cross-Protocol Scripting Vulnerability
Vulnerability
A cross-protocol scripting vulnerability exists in Apache Kvrocks versions prior to 2.11.0. The issue arises because Kvrocks does not validate the presence of 'Host:' or 'POST' in RESP requests. This oversight allows a legitimate HTTP request to be interpreted as a valid RESP request, potentially triggering harmful database operations. This vulnerability could be particularly dangerous when combined with server-side request forgery (SSRF) attacks.
Impact
Exploitation of this vulnerability could lead to unintended database operations, which may be exploited in conjunction with SSRF to cause further harm.
Remediation
Users are advised to upgrade to Apache Kvrocks version 2.11.1 or later, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.