Description

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

Remediation

References

https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E

Related Vulnerabilities

CVE-2022-36904 Vulnerability in maven package org.jenkins-ci.plugins:repository-connector

CVE-2020-15095 Vulnerability in maven package org.webjars:npm

CVE-2021-41532 Vulnerability in maven package org.apache.ozone:ozone-recon

CVE-2022-36922 Vulnerability in maven package org.jenkins-ci.plugins:lucene-search

CVE-2022-23913 Vulnerability in maven package org.apache.activemq:artemis-core-client

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Vendor Advisory NVD-CWE-noinfo