Arbitrary Constructor Calling Vulnerability in Apache Dubbo (CVE-2021-29425)

Arbitrary Constructor Calling Vulnerability in Apache Dubbo (CVE-2021-29425)

CVE-2021-30180 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.

Learn more about our Cis Benchmark Audit For Server Software.