You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@dubbo.apache.org by Jun Liu <li...@apache.org> on 2021/05/31 01:21:33 UTC
[CVE-2021-30180]RCE on customers via Condition route poisoning
(Unsafe YAML unmarshaling)
Hi
Severity: low
Vendor:
The Dubbo Project Team
Versions Affected:
Dubbo 2.7.0 to 2.7.9
Description:
Apache Dubbo support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors. Only users enables Tag Router may get affected.
Mitigation:
Upgrade to 2.7.10 or the latest 2.7 version.
https://github.com/apache/dubbo/releases/tag/dubbo-2.7.10
https://dubbo.apache.org/en/blog/2020/05/18/past-releases/
Credit:
This issue was first reported by GitHub Security Lab
Jun