Apache Dubbo RCE on customers via Condition route poisoning (Unsafe YAML unmarshaling)

Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.

N/A

N/A

Apache Dubbo 环境问题漏洞

Apache Dubbo是美国阿帕奇（Apache）基金会的一款基于Java的轻量级RPC（远程过程调用）框架。该产品提供了基于接口的远程呼叫、容错和负载平衡以及自动服务注册和发现等功能。 Apache Dubbo 2.7.9之前存在安全漏洞，该漏洞源于标签路由规则由客户在发出请求以找到正确的端点时使用。在解析这些YAML规则时，Dubbo客户可能支持调用任意构造函数。

N/A

N/A