CVE-2021-36161

CRITICAL

Apache Dubbo <2.7.13 - RCE

Title source: llm

Description

Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13

References (1)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.0273

EPSS Percentile 86.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-134

Status published

Products (2)

apache/dubbo 2.7.0 - 2.7.13

org.apache.dubbo/dubbo 0 - 2.7.13Maven

Published Sep 09, 2021

Tracked Since Feb 18, 2026