PT-2021-18656 · Apache · Apache Dubbo

Published

2021-05-29

Updated

2022-03-18

CVE-2021-30181

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache Dubbo versions prior to 2.6.9 and 2.7.9

Description The issue allows arbitrary code execution due to the support of Script routing. This feature enables customers to route requests to the right server using rules. When parsing these rules, Dubbo uses ScriptEngine and runs the rule provided by the script, which may enable executing arbitrary code by default.

Recommendations For versions prior to 2.6.9, update to version 2.6.9 or later. For versions prior to 2.7.9, update to version 2.7.9 or later. As a temporary workaround, consider disabling the Script routing feature until a patch is available.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2021-30181

GHSA-QMFC-6WWW-FJQW

Affected Products

Apache Dubbo

PT-2021-18656 · Apache · Apache Dubbo

CVE-2021-30181

Weakness Enumeration

Related Identifiers

Affected Products

References · 5