> Mitigation: > 1. Upgrade to in 2.7.10+ or 2.6,10+ respectively according to the version > your are staying on. > https://github.com/apache/dubbo/releases/tag/dubbo-2.7 > <https://github.com/apache/dubbo/releases/tag/dubbo-2.7>.10 > https://github.com/apache/dubbo/releases/tag/dubbo-2 > <https://github.com/apache/dubbo/releases/tag/dubbo-2>.6.9
Also find the release packages at the download page here. Jun > On May 28, 2021, at 11:59 PM, Jun Liu <liu...@apache.org> wrote: > > Hi > > Severity: low > > Vendor: > The Dubbo Project Team > > Versions Affected: > Dubbo 2.7.0 to 2.7.9 > Dubbo 2.6.0 to 2.6.9 > Dubbo all 2.5.x versions (not supported by official team any longer) > > > Description: > Apache Dubbo supports Script routing which will enable a customer to route > the request to the right server. These rules are used by the customers when > making a request in order to find the right endpoint. When parsing these > rules, Dubbo customers use ScriptEngine and run the rule provided by the > script which by default may enable executing arbitrary. > > > Mitigation: > 1. Upgrade to in 2.7.10+ or 2.6,10+ respectively according to the version > your are staying on. > https://github.com/apache/dubbo/releases/tag/dubbo-2.7 > <https://github.com/apache/dubbo/releases/tag/dubbo-2.7>.10 > https://github.com/apache/dubbo/releases/tag/dubbo-2 > <https://github.com/apache/dubbo/releases/tag/dubbo-2>.6.9 > > Credit: > This issue was first reported by GitHub Security Lab > Jun >