Description

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

Remediation

References

https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E

Related Vulnerabilities

CVE-2022-41253 Vulnerability in maven package org.jenkins-ci.plugins:cons3rt

CVE-2022-43434 Vulnerability in maven package io.jenkins.plugins:neuvector-vulnerability-scanner

CVE-2020-2110 Vulnerability in maven package org.jenkins-ci.plugins:script-security

CVE-2022-36918 Vulnerability in maven package org.jenkins-ci.plugins:buckminster

CVE-2020-7729 Vulnerability in npm package grunt

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory NVD-CWE-noinfo