GHSA-qvm7-23cj-437v

Source

https://github.com/advisories/GHSA-qvm7-23cj-437v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-qvm7-23cj-437v/GHSA-qvm7-23cj-437v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qvm7-23cj-437v

Aliases

CVE-2021-36161

Published

2021-09-10T17:54:37Z

Modified

2023-11-08T04:06:12.598303Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Remote Code Execution in Apache Dubbo

Details

Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2021-09-09T08:15:00Z",
    "cwe_ids": [
        "CWE-134"
    ],
    "github_reviewed_at": "2021-09-10T16:45:06Z",
    "severity": "CRITICAL"
}

References

Affected packages

Maven / org.apache.dubbo:dubbo

Package

Name: org.apache.dubbo:dubbo; View open source insights on deps.dev
Purl: pkg:maven/org.apache.dubbo/dubbo

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.13

Affected versions

2.*

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.4.1

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.10

2.7.11

2.7.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-qvm7-23cj-437v/GHSA-qvm7-23cj-437v.json"