CVE-2021-36162

Code Injection in maven/org.apache.dubbo/dubbo

Identifiers

CVE-2021-36162

Package Slug

maven/org.apache.dubbo/dubbo

Vulnerability

Code Injection

Description

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them.

Affected Versions

All versions starting from 2.7.0 up to 2.7.12, all versions starting from 3.0.0 up to 3.0.1

Solution

Upgrade to versions 2.7.13, 3.0.2 or above.

Last Modified

2021-09-16

source