Description
Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13
Remediation
References
https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E
Related Vulnerabilities
CVE-2023-40582 Vulnerability in npm package find-exec
CVE-2023-31101 Vulnerability in maven package org.apache.inlong:manager-web
CVE-2020-2304 Vulnerability in maven package org.jenkins-ci.plugins:subversion
CVE-2020-15250 Vulnerability in maven package junit:junit
CVE-2020-2308 Vulnerability in maven package org.csanchez.jenkins.plugins:kubernetes