CVE-2021-30181

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-30181

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-30181.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-30181

Aliases

GHSA-qmfc-6www-fjqw

Published

2021-06-01T14:15:09.967Z

Modified

2026-04-10T04:32:05.891319Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

References

https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E

Affected packages

Git / github.com/apache/dubbo

Affected ranges

Type

GIT

Repo

https://github.com/apache/dubbo

Events

Introduced

31ca18c712de2016795ba59f499f7c254f9281d5

Fixed

9783ef060aa4fee95db01e8270c20688f30d773e

Introduced

614bcebc01336ee5047a98f96b28915680c0399c

Fixed

de9fc426cf57a74fab0d0cd37fabb0d9cf6086bd

Database specific

{
    "versions": [
        {
            "introduced": "2.5.0"
        },
        {
            "fixed": "2.6.10"
        },
        {
            "introduced": "2.7.0"
        },
        {
            "fixed": "2.7.10"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-30181.json"