PT-2021-21150 · Apache · Apache Dubbo

Alvaro Munoz

Published

2021-09-07

Updated

2021-09-14

CVE-2021-36162

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache Dubbo versions prior to 2.7.13 Apache Dubbo versions prior to 3.0.2

Description The issue arises from the use of the SnakeYAML library to parse YAML rules in Apache Dubbo, which by default enables the calling of arbitrary constructors. An attacker with access to the configuration center can poison the rules, leading to remote code execution (RCE) on all consumer systems that retrieve the tainted rules.

Recommendations For Apache Dubbo versions prior to 2.7.13, update to version 2.7.13 or later. For Apache Dubbo versions prior to 3.0.2, update to version 3.0.2 or later.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2021-36162

GHSA-R577-4HQ7-73QH

Affected Products

Apache Dubbo

PT-2021-21150 · Apache · Apache Dubbo

CVE-2021-36162

Weakness Enumeration

Related Identifiers

Affected Products

References · 5