Primary

Context

Apache Neethi PolicyReference API Unrestricted URI Fetching Vulnerability

Vulnerability

A vulnerability exists in Apache Neethi versions prior to 3.2.2, allowing unrestricted fetching of remote policy references through the PolicyReference API. This lack of restriction enables outbound requests to be made to arbitrary protocols and internal IP addresses. In version 3.2.2 and later, the API restricts URIs to only http or https, disallowing link-local, multicast, or any-local addresses.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal resources or services via outbound requests, potentially allowing for data exfiltration or interaction with internal systems.

Remediation

Users are advised to upgrade to Apache Neethi version 3.2.2 or later, which addresses this vulnerability.

Added: May 1, 2026, 11:20 AM

Updated: May 1, 2026, 11:20 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.4

exploitability

6.8

remediation

0.0

relevance

7.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.4

exploitability

6.8

remediation

0.0

relevance

7.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Neethi PolicyReference API Unrestricted URI Fetching Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating