CVE-2021-36162

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-36162

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-36162.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-36162

Aliases

GHSA-r577-4hq7-73qh

Published

2021-09-07T10:15:07Z

Modified

2024-09-03T03:53:18.837299Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers will use SnakeYAML library to load the rules which by default will enable calling arbitrary constructors. An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them. This was fixed in Dubbo 2.7.13, 3.0.2

References

https://lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3E

Affected packages

Git / github.com/apache/dubbo

Affected ranges

Type: GIT
Repo: https://github.com/apache/dubbo
Events: Introduced

236a45694e9a1925e0a57f42686996f6fbf4c694

Last affected

aa3fe7b74dfe282ab7c3b83b2fc5559d06c8f9b4

Introduced

614bcebc01336ee5047a98f96b28915680c0399c

Last affected

e8eeddbf42952e7dd4ba4428548f91006900ea5c

Affected versions

2.*

2.7.6

dubbo-2.*

dubbo-2.7.0

dubbo-2.7.1

dubbo-2.7.10

dubbo-2.7.11

dubbo-2.7.12

dubbo-2.7.4

dubbo-2.7.6

dubbo-2.7.7

dubbo-2.7.9

dubbo-3.*

dubbo-3.0.0

dubbo-3.0.1