A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.
Since Kvrocks didnt detect if Host: or POST appears in RESP requests, a valid HTTP request can also be sent to Kvrocks as a valid RESP request and trigger some database operations, which can be dangerous when it is chained with SSRF.
It is similiar to CVE-2016-10517 in Redis.
This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.
Users are recommended to upgrade to version 2.11.1, which fixes the issue.
The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.