Description

Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13

Remediation

References

https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E

Related Vulnerabilities

CVE-2021-39150 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2023-28708 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2021-36739 Vulnerability in maven package org.apache.portals.pluto.archetype:mvcbean-jsp-portlet-archetype

CVE-2021-39232 Vulnerability in maven package org.apache.ozone:ozone-main

CVE-2020-2231 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

Critical

Classification

CWE-134 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory