Cyber Resilience

CVE-2021-36161

Critical

Published: 09 September 2021

Published
09 September 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0273 86.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-36161 is a critical-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Apache Dubbo. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 13.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout,…

more

cache and some other places. Fixed in Apache Dubbo 2.7.13

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
dubbo
2.7.0 — 2.7.13

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References