CVE-2021-36162: Code Injection

September 7, 2021 (updated September 14, 2021)

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them.

References

nvd.nist.gov/vuln/detail/CVE-2021-36162

Detect and mitigate CVE-2021-36162 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →