Skip to main content

Dubbo CVE-2021-36162

HIGH
2021-09-07 security@apache.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 07, 2021 - 10:15 nvd
HIGH 8.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7 maven packages depend on org.apache.dubbo:dubbo (6 direct, 1 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionNVD

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers will use SnakeYAML library to load the rules which by default will enable calling arbitrary constructors. An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them. This was fixed in Dubbo 2.7.13, 3.0.2

AnalysisAI

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers will use SnakeYAML library to load the rules which by default will enable calling arbitrary constructors. An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them. This was fixed in Dubbo 2.7.13, 3.0.2 Affected products include: Apache Dubbo.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Dubbo

View all
CVE-2023-46279 CRITICAL
9.8 Dec 15

Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5. Rated critic

CVE-2023-29234 CRITICAL
9.8 Dec 15

A deserialization vulnerability existed when decode a malicious package.1.0 through 3.1.10, from 3.2.0 through 3.2.4. Ra

CVE-2023-23638 CRITICAL
9.8 Mar 08

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution.7.x vers

CVE-2022-39198 CRITICAL
9.8 Oct 18

A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malic

CVE-2021-37579 CRITICAL
9.8 Sep 09

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the con

CVE-2021-36161 CRITICAL
9.8 Sep 09

Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for

CVE-2021-36163 CRITICAL
9.8 Sep 07

In Apache Dubbo, users may choose to use the Hessian protocol. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-30181 CRITICAL
9.8 Jun 01

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the r

CVE-2021-30180 CRITICAL
9.8 Jun 01

Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. R

CVE-2021-30179 CRITICAL
9.8 Jun 01

Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfa

CVE-2021-25641 CRITICAL
9.8 Jun 01

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on.

CVE-2020-1948 CRITICAL
9.8 Jul 14

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. Rated critical severity (CVSS 9.8), this v

Share

CVE-2021-36162 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy