CVE-2021-36161
Description
Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
2.734
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2021-37579,CVE-2021-36161,CVE-2021-36162,CVE-2021-36163 are fixed in Apache-dubbo 2.7.13 | Windows |
| Vulnerabilities CVE-2021-37579,CVE-2021-36161,CVE-2021-36162,CVE-2021-36163 are fixed in Apache-dubbo for Linux 2.7.13 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234