{"containers": {"cna": {"affected": [{"product": "Apache Dubbo", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.7.9", "status": "affected", "version": "Apache Dubbo 2.7.x", "versionType": "custom"}, {"lessThan": "2.6.9", "status": "affected", "version": "Apache Dubbo 2.6.x", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code."}], "problemTypes": [{"descriptions": [{"description": "Script Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-05-29T07:30:12", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Dubbo RCE on customers via Script route poisoning (Nashorn script injection)", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-30181", "STATE": "PUBLIC", "TITLE": "Apache Dubbo RCE on customers via Script route poisoning (Nashorn script injection)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Dubbo", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache Dubbo 2.7.x", "version_value": "2.7.9"}, {"version_affected": "<", "version_name": "Apache Dubbo 2.6.x", "version_value": "2.6.9"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Script Injection"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:24:59.650Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-30181", "datePublished": "2021-05-29T07:30:12", "dateReserved": "2021-04-07T00:00:00", "dateUpdated": "2024-08-03T22:24:59.650Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "F38BFA3F-E32D-4F33-9E17-A1EF0F040E6D", "versionEndExcluding": "2.6.10", "versionStartIncluding": "2.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A6C2034-505D-477A-83EE-E7ECDDD142A9", "versionEndExcluding": "2.7.10", "versionStartIncluding": "2.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code."}, {"lang": "es", "value": "Apache Dubbo versiones anteriores a 2.6.9 y 2.7.9, soporta el enrutamiento de Scripts que permitir\u00e1 al cliente enrutar la petici\u00f3n al servidor correcto. Estas reglas son usadas por los clientes cuando realizan una petici\u00f3n para encontrar el endpoint correcto. Al analizar estas reglas, los clientes de Dubbo usan ScriptEngine y ejecutan la regla proporcionada por el script que por defecto, puede permitir una ejecuci\u00f3n de c\u00f3digo arbitrario"}], "id": "CVE-2021-30181", "lastModified": "2024-11-21T06:03:28.430", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-01T14:15:09.967", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}