Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2021-36161 Vulnerability in maven package org.apache.dubbo:dubbo-common

Description

Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13

Remediation

References

https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E

Related Vulnerabilities

CVE-2022-45347 Vulnerability in maven package org.apache.shardingsphere:shardingsphere-proxy

CVE-2021-45456 Vulnerability in maven package org.apache.kylin:kylin-server-base

CVE-2020-11022 Vulnerability in maven package org.fujion.webjars:jquery

CVE-2015-7499 Vulnerability in npm package libxmljs

CVE-2019-1003064 Vulnerability in maven package org.jenkins-ci.plugins:aws-device-farm

Severity

Critical

Classification

CWE-134 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory