CVE-2021-30181

Apache Dubbo RCE on customers via Script route poisoning (Nashorn script injection)

EPSS 61.5%

Vexday Risk Score

15Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS —EPSS 61.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

29 mai 2021Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

Produtos afetados

Apache Software Foundation · Apache Dubbo

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E