Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                  Note d'Information No. 2025/VULN076

_____________________________________________________________________

DATE                : 10/02/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Kvrocks versions prior to
                                        2.11.1.

=====================================================================
https://lists.apache.org/thread/4y9scyjdzx0pw2dl97nmpnyffh4274ot
_____________________________________________________________________

CVE-2025-25069: Apache Kvrocks: Cross-Protocol Scripting
Vulnerability

Severity: Moderate

Affected versions:

- Apache Kvrocks through 2.11.0


Description:

A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.

Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP
requests, a valid HTTP request can also be sent to Kvrocks as a valid
RESP request and trigger some database operations, which can be
dangerous when it is chained with SSRF.

It is similiar to CVE-2016-10517 in Redis.

This issue affects Apache Kvrocks: from the initial version to the
latest version 2.11.0.

Users are recommended to upgrade to version 2.11.1, which fixes the
issue.


Credit:

Sergey Volosatov (reporter)


References:

https://www.cve.org/CVERecord?id=CVE-2016-10517
https://kvrocks.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-25069


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================