CVE-2021-36162

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-36162
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-36162.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-36162
Aliases
Published
2021-09-07T10:15:07.253Z
Modified
2026-04-10T04:35:25.148594Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers will use SnakeYAML library to load the rules which by default will enable calling arbitrary constructors. An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them. This was fixed in Dubbo 2.7.13, 3.0.2

References

Affected packages

Git / github.com/apache/dubbo

Affected ranges

Type
GIT
Repo
https://github.com/apache/dubbo
Events
Introduced
614bcebc01336ee5047a98f96b28915680c0399c
Last affected
e8eeddbf42952e7dd4ba4428548f91006900ea5c
Introduced
236a45694e9a1925e0a57f42686996f6fbf4c694
Last affected
aa3fe7b74dfe282ab7c3b83b2fc5559d06c8f9b4
Database specific 
{
    "versions": [
        {
            "introduced": "2.7.0"
        },
        {
            "last_affected": "2.7.12"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "last_affected": "3.0.1"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-36162.json"