Skip to main content

Dubbo CVE-2021-30181

CRITICAL
2021-06-01 security@apache.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 01, 2021 - 14:15 nvd
CRITICAL 9.8

DescriptionNVD

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

AnalysisAI

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code. Affected products include: Apache Dubbo. Version information: prior to 2.6.9.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Dubbo

View all
CVE-2023-46279 CRITICAL
9.8 Dec 15

Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5. Rated critic

CVE-2023-29234 CRITICAL
9.8 Dec 15

A deserialization vulnerability existed when decode a malicious package.1.0 through 3.1.10, from 3.2.0 through 3.2.4. Ra

CVE-2023-23638 CRITICAL
9.8 Mar 08

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution.7.x vers

CVE-2022-39198 CRITICAL
9.8 Oct 18

A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malic

CVE-2021-37579 CRITICAL
9.8 Sep 09

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the con

CVE-2021-36161 CRITICAL
9.8 Sep 09

Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for

CVE-2021-36163 CRITICAL
9.8 Sep 07

In Apache Dubbo, users may choose to use the Hessian protocol. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-30180 CRITICAL
9.8 Jun 01

Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. R

CVE-2021-30179 CRITICAL
9.8 Jun 01

Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfa

CVE-2021-25641 CRITICAL
9.8 Jun 01

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on.

CVE-2020-1948 CRITICAL
9.8 Jul 14

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. Rated critical severity (CVSS 9.8), this v

CVE-2021-36162 HIGH
8.8 Sep 07

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). Rate

Share

CVE-2021-30181 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy