Description
Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13
Remediation
References
https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E
Related Vulnerabilities
CVE-2020-2202 Vulnerability in maven package org.jenkins-ci.plugins:fortify-on-demand-uploader
CVE-2019-10473 Vulnerability in maven package org.jenkins-ci.plugins:libvirt-slave
CVE-2023-28709 Vulnerability in maven package org.apache.tomcat:tomcat-util
CVE-2020-17516 Vulnerability in maven package org.apache.cassandra:cassandra-all
CVE-2020-27216 Vulnerability in maven package org.mortbay.jetty:jetty