CVE-2021-30180

CVE-2021-30180: Apache Dubbo RCE on customers via Condition route poisoning (Unsafe YAML unmarshaling)

Vendor Apache Software Foundation

Product Apache Dubbo

Published May 31, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.

Key dates

Disclosure timeline

May 31, 2021 CVE published

August 3, 2024 Record updated