CVE-2021-36162 is a vulnerability in Apache Dubbo
Published on September 7, 2021
Unprotected yaml deserialization cause RCE
Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers will use SnakeYAML library to load the rules which by default will enable calling arbitrary constructors. An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them. This was fixed in Dubbo 2.7.13, 3.0.2
Products Associated with CVE-2021-36162
Want to know whenever a new CVE is published for Apache Dubbo? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Dubbo:- Version Apache Dubbo 2.7.x, <= 2.7.12 is affected.
- Version Apache Dubbo 3.0.x, <= 3.0.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.