Description

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

Remediation

References

https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E

Related Vulnerabilities

CVE-2023-27603 Vulnerability in maven package org.apache.linkis:linkis-common

CVE-2020-2193 Vulnerability in maven package io.jenkins.plugins:echarts-api

CVE-2021-46361 Vulnerability in maven package info.magnolia:magnolia-core

CVE-2023-35145 Vulnerability in maven package org.jenkins-ci.plugins:sonargraph-integration

CVE-2023-30515 Vulnerability in maven package io.jenkins.plugins:thycotic-devops-secrets-vault

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory NVD-CWE-noinfo