← Back

CVE-2026-42404

nvd nist
Published: May 1, 2026Modified: May 1, 2026

JSON object

Loading...
7.2
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Exploitability: 3.9 / Impact: 2.7
Source: NVD

Description

Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and internal IP adddresses. From 3.2.2, only http or https URIs are allowed, and link-local/multicast/any-local addresses are forbidden. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Affected (1)

Products: Apache: Neethi
Apache
1 product
Neethi
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Neethi
Before 3.2.2

Related CWEs

CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

Source: security@apache.org
Issue TrackingVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory

Timeline

No history available yet.