漏洞标题
未保护的YAML解析导致RCE
漏洞描述信息
不加保护的yaml反序列化会导致RCE(远程代码执行)漏洞。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
Unprotected yaml deserialization cause RCE
漏洞描述信息
Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers will use SnakeYAML library to load the rules which by default will enable calling arbitrary constructors. An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them. This was fixed in Dubbo 2.7.13, 3.0.2
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Apache Dubbo 代码问题漏洞
漏洞描述信息
Apache Dubbo是美国阿帕奇(Apache)基金会的一款基于Java的轻量级RPC(远程过程调用)框架。该产品提供了基于接口的远程呼叫、容错和负载平衡以及自动服务注册和发现等功能。 Apache Dubbo 存在安全漏洞,有权访问配置中心的攻击者将能够毒化规则,当消费者检索到时,它将获得所有用户的 RCE。
CVSS信息
N/A
漏洞类别
代码问题