Wang Weibing

**Name of the Vulnerable Software and Affected Versions** Apache bRPC versions <=1.6.0 **Description** A security issue allows attackers to inject arbitrary XSS code into the builtin rpcz page of Apache bRPC. This can be exploited by an attacker who can send HTTP requests to a bRPC server with rpcz enabled. **Recommendations** For Apache bRPC versions <=1.6.0, consider one of the following solutions: 1. Upgrade to bRPC > 1.6.0. 2. Apply the patch available at https://github.com/apache/brpc/pull/2411 if upgrading is not feasible. 3. Disable the rpcz feature as a temporary workaround.

**Name of the Vulnerable Software and Affected Versions** Apache bRPC versions prior to 1.5.0 **Description** A security issue in Apache bRPC allows attackers to execute arbitrary code via the `pid file` parameter in `ServerOptions`. This can be exploited by an attacker who can influence the `pid file` parameter when the bRPC server is started, resulting in arbitrary code execution with the permissions of the bRPC process. **Recommendations** For Apache bRPC versions prior to 1.5.0, upgrade to bRPC version 1.5.0 or later. If upgrading is difficult, apply the patch available at https://github.com/apache/brpc/pull/2218 as a temporary solution.