Hi Severity: low
Vendor: The Dubbo Project Team Versions Affected: Dubbo 2.7.0 to 2.7.9 Description: Apache Dubbo support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors. Only users enables Tag Router may get affected. Mitigation: Upgrade to 2.7.10 or the latest 2.7 version. https://github.com/apache/dubbo/releases/tag/dubbo-2.7.10 https://dubbo.apache.org/en/blog/2020/05/18/past-releases/ Credit: This issue was first reported by GitHub Security Lab Jun
