[MAVEN:GHSA-QVM7-23CJ-437V] Remote Code Execution in Apache Dubbo

Severity Critical

Affected Packages 1

Fixed Packages 1

CVEs 1

Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13

Package	Affected Version
pkg:maven/org.apache.dubbo/dubbo	< 2.7.13

Package	Fixed Version
pkg:maven/org.apache.dubbo/dubbo	= 2.7.13

ID: MAVEN:GHSA-QVM7-23CJ-437V
Severity: critical
URL: https://github.com/advisories/GHSA-qvm7-23cj-437v
Published: 2021-09-10T17:54:37
(3 years ago)
Modified: 2023-02-01T05:06:09
(19 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2021-36161
			https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E
			https://github.com/advisories/GHSA-qvm7-23cj-437v

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.apache.dubbo/dubbo	org.apache.dubbo	dubbo	< 2.7.13
Fixed	pkg:maven/org.apache.dubbo/dubbo	org.apache.dubbo	dubbo	= 2.7.13

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date