{"id":"GHSA-7wfc-x4f7-gg2x","summary":"Code injection in Apache Dubbo","details":"Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.","aliases":["CVE-2021-30180"],"modified":"2023-11-08T04:05:45.664767Z","published":"2022-03-18T17:58:01Z","database_specific":{"github_reviewed":true,"severity":"CRITICAL","nvd_published_at":"2021-06-01T14:15:00Z","github_reviewed_at":"2021-06-02T20:19:48Z","cwe_ids":["CWE-444","CWE-94"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-30180"},{"type":"WEB","url":"https://lists.apache.org/thread.html/raed526465e56204030ddf374b1959478a290e7511971d7aba2e9e39b%40%3Cdev.dubbo.apache.org%3E"}],"affected":[{"package":{"name":"org.apache.dubbo:dubbo","ecosystem":"Maven","purl":"pkg:maven/org.apache.dubbo/dubbo"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.7.0"},{"fixed":"2.7.10"}]}],"versions":["2.7.0","2.7.1","2.7.2","2.7.3","2.7.4","2.7.4.1","2.7.5","2.7.6","2.7.7","2.7.8","2.7.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-7wfc-x4f7-gg2x/GHSA-7wfc-x4f7-gg2x.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}