CVE-2021-30181

CVE-2021-30181: Apache Dubbo RCE on customers via Script route poisoning (Nashorn script injection)

Vendor Apache Software Foundation

Product Apache Dubbo

Published May 29, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.

Key dates

Disclosure timeline

May 29, 2021 CVE published

August 3, 2024 Record updated

Identifiers

CVE CVE-2021-30181

Affected versions

Vendor Apache Software Foundation

Product Apache Dubbo

Affected ≥ Apache Dubbo 2.7.x and < 2.7.9

Vendor Apache Software Foundation

Product Apache Dubbo

Affected ≥ Apache Dubbo 2.6.x and < 2.6.9