CVE-2021-30180: Apache Dubbo RCE on customers via Condition route poisoning (Unsafe YAML unmarshaling)
First published: Mon May 31 2021(Updated: )
Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Dubbo | >=2.7.0<2.7.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-30180?
CVE-2021-30180 is a vulnerability in Apache Dubbo prior to version 2.7.9 that allows customers to route requests to the right server using YAML rules, but may enable calling arbitrary constructs.
How severe is CVE-2021-30180?
CVE-2021-30180 has a severity rating of 9.8 out of 10, making it critical.
What is Apache Dubbo?
Apache Dubbo is a high-performance, lightweight, open-source Java RPC framework used for building microservices.
Which versions of Apache Dubbo are affected by CVE-2021-30180?
Apache Dubbo versions from 2.7.0 to 2.7.10 are affected by CVE-2021-30180.
How can the vulnerability be fixed?
To fix CVE-2021-30180, users should upgrade to Apache Dubbo version 2.7.9 or later.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/title
- agent/first-publish-date
- agent/tags
- agent/event
- agent/description
- vendor/apache
- canonical/apache dubbo
- version/apache dubbo/2.7.0