CVE-2021-30181: Apache Dubbo RCE on customers via Script route poisoning (Nashorn script injection)
First published: Sat May 29 2021(Updated: )
Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Dubbo | >=2.5.0<2.6.10 | |
| Apache Dubbo | >=2.7.0<2.7.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-30181?
The severity of CVE-2021-30181 is critical with a CVSS score of 9.8.
What is Apache Dubbo?
Apache Dubbo is a high-performance, Java-based open-source RPC (remote procedure call) framework.
What is Script routing in Apache Dubbo?
Script routing is a feature in Apache Dubbo that allows customers to route requests to the right server based on rules specified in scripts.
How does Apache Dubbo use ScriptEngine?
Apache Dubbo customers use ScriptEngine to parse and execute the rules for Script routing.
What is the fix for CVE-2021-30181?
To fix CVE-2021-30181, update Apache Dubbo to version 2.6.10 or 2.7.10 or later.
- collector/nvd-index
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/author
- agent/severity
- agent/last-modified-date
- agent/title
- agent/first-publish-date
- agent/tags
- agent/event
- agent/description
- agent/type
- vendor/apache
- canonical/apache dubbo
- version/apache dubbo/2.5.0
- version/apache dubbo/2.7.0