You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@dubbo.apache.org by Jun Liu <li...@apache.org> on 2021/09/08 05:39:09 UTC
[CVE-2021-36161] Formating output of RPC arguments cause RCE
Hi
Severity: low
Vendor:
The Dubbo Project Team
Versions Affected:
Dubbo 2.7.0 to 2.7.12
Description:
Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places.
Solution:
Upgrade to 2.7.13 for users using 2.7.x
Credit:
This issue was first reported by Qin Ce from the Huawei
Jun