CVE-2021-30181

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-30181

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-30181.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-30181

Aliases

GHSA-qmfc-6www-fjqw

Published

2021-06-01T14:15:09Z

Modified

2024-09-02T22:12:06Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

References

https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E

Affected packages

Git / github.com/apache/dubbo

Affected ranges

Type: GIT
Repo: https://github.com/apache/dubbo
Events: Introduced

31ca18c712de2016795ba59f499f7c254f9281d5

Fixed

9783ef060aa4fee95db01e8270c20688f30d773e