Description

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

Remediation

References

https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E

Related Vulnerabilities

CVE-2019-16543 Vulnerability in maven package com.inflectra.spiratest.plugins:inflectra-spira-integration

CVE-2023-31101 Vulnerability in maven package org.apache.inlong:manager-pojo

CVE-2021-26117 Vulnerability in maven package org.apache.activemq:artemis-server

CVE-2021-44228 Vulnerability in maven package org.apache.logging.log4j:log4j-core

CVE-2021-29943 Vulnerability in maven package org.apache.solr:solr-core

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory NVD-CWE-noinfo