CVE-2021-36162
maven/org.apache.dubbo/dubbo
Code Injection
Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them.
All versions starting from 2.7.0 up to 2.7.12, all versions starting from 3.0.0 up to 3.0.1
Upgrade to versions 2.7.13, 3.0.2 or above.
2021-09-16
source |