Apache Dubbo RCE on customers via Condition route poisoning (Unsafe YAML unmarshaling)
CVE-2021-30180

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Dubbo
Vendor: CVE Published:; 1 June 2021

Summary

Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.

Affected Version(s)

Apache Dubbo Apache Dubbo 2.7.x < 2.7.9

References

https://lists.apache.org/thread.html/raed526465e56204030d...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 1, 2021
Vulnerability Reserved
Apr 7, 2021

Credit

This issue was first reported by GitHub Security Lab