Описание
Code injection in Apache Dubbo
Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.
Пакеты
Наименование
org.apache.dubbo:dubbo
maven
Затронутые версииВерсия исправления
>= 2.7.0, < 2.7.10
2.7.10
Связанные уязвимости
CVSS3: 9.8
nvd
больше 4 лет назад
Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.