CVE-2021-30181

Apache Dubbo RCE on customers via Script route poisoning (Nashorn script injection)

EPSS 61.5%

Vexday Risk Score

15Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS —EPSS 61.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

29 May 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

Affected products

Apache Software Foundation · Apache Dubbo

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E