CVE-2021-36161

CWE-134Uncontrolled Format String4 documents4 sources
Severity
9.8CRITICAL
EPSS
2.7%
top 14.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache DubboApache Software Foundation Apache Dubbo
Timeline
PublishedSep 9
Latest updateSep 10

Description

Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDapache/dubbo2.7.02.7.13
Mavenorg.apache.dubbo:dubbo< 2.7.13
CVEListV5apache_software_foundation/apache_dubboApache Dubbo 2.7.x2.7.12

🔴Vulnerability Details

3
OSV
Remote Code Execution in Apache Dubbo2021-09-10
GHSA
Remote Code Execution in Apache Dubbo2021-09-10
CVEList
Unprotected input value toString cause RCE2021-09-09
CVE-2021-36161 (CRITICAL CVSS 9.8) | Some component in Dubbo will try to | cvebase.io