CVE-2021-36162 — Command Injection in Software Foundation Apache Dubbo

CWE-77 — Command Injection4 documents4 sources

Severity

8.8HIGHNVD

EPSS

1.0%

top 22.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Dubbo Apache Dubbo

Timeline

PublishedSep 7

Latest updateSep 8

Description

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers will use SnakeYAML library to load the rules which by default will enable calling arbitrary constructors. An attacker with access to the configuration center he will …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/dubbo2.7.0 — 2.7.12+1

▶CVEListV5apache_software_foundation/apache_dubboApache Dubbo 2.7.x — 2.7.12+1

🔴Vulnerability Details

GHSA

Remote Code Execution in Apache Dubbo↗2021-09-08

▶

OSV

Remote Code Execution in Apache Dubbo↗2021-09-08

▶

CVEList

Unprotected yaml deserialization cause RCE↗2021-09-07

▶