Description

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

Remediation

References

https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E

Related Vulnerabilities

CVE-2022-36893 Vulnerability in maven package org.jenkins-ci.plugins:rpmsign-plugin

CVE-2019-10080 Vulnerability in maven package org.apache.nifi:nifi-commons

CVE-2020-9548 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2020-2122 Vulnerability in maven package org.jenkins-ci.plugins:brakeman

CVE-2021-23265 Vulnerability in maven package org.craftercms:crafter-core

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory NVD-CWE-noinfo