CVE-2021-36161
Remote Code Execution in Apache Dubbo
9.8
CRITICAL
CVSS 3.1
EPSS 2.7%
Description
Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13
How to fix CVE-2021-36161
To remediate CVE-2021-36161, upgrade the affected package to a fixed version below.
- —upgrade to 2.7.13 or later
Is CVE-2021-36161 being exploited?
Low — EPSS is 2.7%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.7.13
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |