Search criteria
57 vulnerabilities found for dubbo by apache
FKIE_CVE-2023-46279
Vulnerability from fkie_nvd - Published: 2023-12-15 09:15 - Updated: 2025-02-13 18:15
Severity ?
Summary
Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5.
Users are recommended to upgrade to the latest version, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2023/12/15/3 | Mailing List, Vendor Advisory | |
| security@apache.org | https://lists.apache.org/thread/zw53nxrkrfswmk9n3sfwxmcj7x030nmo | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2023/12/15/3 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/zw53nxrkrfswmk9n3sfwxmcj7x030nmo | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dubbo:3.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "3C67689E-E6EB-41BB-A21B-FC2492EC8139",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5.\n\nUsers are recommended to upgrade to the latest version, which fixes the issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en Apache Dubbo. Este problema solo afecta a Apache Dubbo 3.1.5. Se recomienda a los usuarios que actualicen a la \u00faltima versi\u00f3n, lo que soluciona el problema."
}
],
"id": "CVE-2023-46279",
"lastModified": "2025-02-13T18:15:34.690",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-15T09:15:07.490",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/15/3"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/zw53nxrkrfswmk9n3sfwxmcj7x030nmo"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/15/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/zw53nxrkrfswmk9n3sfwxmcj7x030nmo"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-29234
Vulnerability from fkie_nvd - Published: 2023-12-15 09:15 - Updated: 2025-02-13 17:16
Severity ?
Summary
A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4.
Users are recommended to upgrade to the latest version, which fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | http://www.openwall.com/lists/oss-security/2023/12/15/2 | Mailing List, Third Party Advisory | |
| security@apache.org | https://lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94rllx8f77 | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2023/12/15/2 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94rllx8f77 | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "90144295-4896-4CC2-B290-39F6830432D0",
"versionEndIncluding": "3.1.10",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9EC0F851-B214-47EE-BCE0-20CC670C0F8C",
"versionEndIncluding": "3.2.4",
"versionStartIncluding": "3.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A deserialization vulnerability existed when decode a\u00a0malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4.\n\nUsers are recommended to upgrade to the latest version, which fixes the issue."
},
{
"lang": "es",
"value": "Exist\u00eda una vulnerabilidad de deserializaci\u00f3n al decodificar un paquete malicioso. Este problema afecta a Apache Dubbo: desde 3.1.0 hasta 3.1.10, desde 3.2.0 hasta 3.2.4. Se recomienda a los usuarios que actualicen a la \u00faltima versi\u00f3n, lo que soluciona el problema."
}
],
"id": "CVE-2023-29234",
"lastModified": "2025-02-13T17:16:18.023",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-15T09:15:07.380",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/15/2"
},
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94rllx8f77"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/15/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94rllx8f77"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-23638
Vulnerability from fkie_nvd - Published: 2023-03-08 11:15 - Updated: 2024-11-21 07:46
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution.
This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A275DC61-7FD6-4908-8213-2925FCA7ACDD",
"versionEndIncluding": "2.7.21",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "630DC28C-2AD7-4730-83F3-048D7B75F847",
"versionEndIncluding": "3.0.13",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7F75BA1E-C9C7-4462-A4FE-A6C5F8128796",
"versionEndIncluding": "3.1.5",
"versionStartIncluding": "3.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. \n\nThis issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. "
}
],
"id": "CVE-2023-23638",
"lastModified": "2024-11-21T07:46:35.343",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.4,
"source": "security@apache.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-08T11:15:10.390",
"references": [
{
"source": "security@apache.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-32824
Vulnerability from fkie_nvd - Published: 2023-01-03 18:15 - Updated: 2024-11-21 06:07
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5B86A59-6090-40DA-BF2D-FA2B524A96FA",
"versionEndExcluding": "2.6.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A6C2034-505D-477A-83EE-E7ECDDD142A9",
"versionEndExcluding": "2.7.10",
"versionStartIncluding": "2.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue."
},
{
"lang": "es",
"value": "Apache Dubbo es un framework RPC de c\u00f3digo abierto basado en Java. Las versiones anteriores a 2.6.10 y 2.7.10 son vulnerables a la ejecuci\u00f3n remota de c\u00f3digo previo a la autenticaci\u00f3n mediante manipulaci\u00f3n arbitraria de beans en el controlador Telnet. El puerto de servicio principal de Dubbo se puede utilizar para acceder a un controlador Telnet que ofrece algunos m\u00e9todos b\u00e1sicos para recopilar informaci\u00f3n sobre los proveedores y los m\u00e9todos expuestos por el servicio e incluso puede permitir cerrar el servicio. Este punto final no est\u00e1 protegido. Adem\u00e1s, se puede invocar un m\u00e9todo de proveedor utilizando el controlador `invoke`. Este controlador utiliza una versi\u00f3n segura de FastJson para procesar los argumentos de la llamada. Sin embargo, la lista resultante se procesa posteriormente con `PojoUtils.realize`, que puede usarse para crear instancias de clases arbitrarias e invocar a sus definidores. Aunque FastJson est\u00e1 protegido adecuadamente con una lista de bloqueo predeterminada, `PojoUtils.realize` no lo est\u00e1, y un atacante puede aprovechar eso para lograr la ejecuci\u00f3n remota de c\u00f3digo. Las versiones 2.6.10 y 2.7.10 contienen correcciones para este problema."
}
],
"id": "CVE-2021-32824",
"lastModified": "2024-11-21T06:07:49.563",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-03T18:15:12.420",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-39198
Vulnerability from fkie_nvd - Published: 2022-10-18 19:15 - Updated: 2025-05-13 15:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5F736F4F-0B7F-418B-BC7F-CA7AB6B71069",
"versionEndIncluding": "2.7.17",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F17AA9B1-7F6C-446F-932B-22C2CD00800B",
"versionEndIncluding": "3.0.11",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:dubbo:3.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CAB4AF18-AF88-4910-B694-9C7F3562C35C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de deserializaci\u00f3n en Dubbo Hessian-Lite 3.2.12 y sus versiones anteriores, que podr\u00eda conllevar a una ejecuci\u00f3n de c\u00f3digo malicioso. Este problema afecta a Apache Dubbo versi\u00f3n 2.7.x versi\u00f3n 2.7.17 y versiones anteriores; Apache Dubbo versi\u00f3n 3.0.x versi\u00f3n 3.0.11 y versiones anteriores; Apache Dubbo versi\u00f3n 3.1.x versi\u00f3n 3.1.0 y versiones anteriores"
}
],
"id": "CVE-2022-39198",
"lastModified": "2025-05-13T15:15:49.367",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-10-18T19:15:10.213",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2022-24969
Vulnerability from fkie_nvd - Published: 2022-06-09 16:15 - Updated: 2024-11-21 06:51
Severity ?
Summary
bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CF44A63F-EA41-4E06-A4AA-89AF58EFE905",
"versionEndExcluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B2FBCC30-3E2F-4826-9E57-D01F158B4184",
"versionEndExcluding": "2.7.15",
"versionStartIncluding": "2.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "bypass CVE-2021-25640 \u003e In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability."
},
{
"lang": "es",
"value": "Una omisi\u00f3n posteriores a CVE-2021-25640 En Apache Dubbo versiones anteriores a 2.6.12 y 2.7.15, el uso del m\u00e9todo parseURL conlleva a una omisi\u00f3n de la comprobaci\u00f3n de host blanco que puede causar un redireccionamiento abierto o una vulnerabilidad de tipo SSRF"
}
],
"id": "CVE-2022-24969",
"lastModified": "2024-11-21T06:51:28.693",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-09T16:15:08.340",
"references": [
{
"source": "security@apache.org",
"tags": [
"Broken Link"
],
"url": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
},
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-43297
Vulnerability from fkie_nvd - Published: 2022-01-10 16:15 - Updated: 2024-11-21 06:29
Severity ?
Summary
A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww | Mailing List, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0C18088F-7CD5-4E22-9749-F4B703347A68",
"versionEndExcluding": "2.6.12",
"versionStartIncluding": "2.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B2FBCC30-3E2F-4826-9E57-D01F158B4184",
"versionEndExcluding": "2.7.15",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DCE9F3A7-DA3B-40DA-B048-68D52395DE2B",
"versionEndExcluding": "3.0.5",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de deserializaci\u00f3n en Dubbo Hessian-lite versiones 3.2.11 y sus versiones anteriores, que podr\u00eda conllevar a una ejecuci\u00f3n de c\u00f3digo malicioso. La mayor\u00eda de usuarios de Dubbo usan Hessian2 como el protocolo de serializaci\u00f3n/deserializaci\u00f3n por defecto, durante la captura de excepciones no esperadas de Hessian, Hessian sacar\u00e1 alguna informaci\u00f3n para usuarios, lo que puede causar una ejecuci\u00f3n de comandos remotos. Este problema afecta a Apache Dubbo versiones 2.6.x anteriores a 2.6.12; Apache Dubbo versiones 2.7.x anteriores a 2.7.15; Apache Dubbo versiones 3.0.x anteriores a 3.0.5"
}
],
"id": "CVE-2021-43297",
"lastModified": "2024-11-21T06:29:01.710",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-10T16:15:09.527",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-37579
Vulnerability from fkie_nvd - Published: 2021-09-09 08:15 - Updated: 2024-11-21 06:15
Severity ?
Summary
The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA1B4A0B-5B2C-466E-8C53-104288083BA2",
"versionEndExcluding": "2.7.13",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BEA6EFAB-07E9-4850-9B0F-3E6381E5D290",
"versionEndExcluding": "3.0.2",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there\u0027s an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found."
},
{
"lang": "es",
"value": "El Dubbo Provider comprobar\u00e1 que la petici\u00f3n entrante y el tipo de serializaci\u00f3n correspondiente de esta petici\u00f3n cumplen con la configuraci\u00f3n establecida por el servidor. Pero se presenta una excepci\u00f3n que el atacante puede usar para omitir la comprobaci\u00f3n de seguridad (cuando est\u00e1 habilitada) y llegar a una operaci\u00f3n de deserializaci\u00f3n con serializaci\u00f3n nativa de java. Apache Dubbo versiones 2.7.13, 3.0.2 corrigi\u00f3 este problema al fallar r\u00e1pidamente cuando se encontraba alguna petici\u00f3n no reconocida"
}
],
"id": "CVE-2021-37579",
"lastModified": "2024-11-21T06:15:27.780",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-09T08:15:30.890",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-36161
Vulnerability from fkie_nvd - Published: 2021-09-09 08:15 - Updated: 2024-11-21 06:13
Severity ?
Summary
Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA1B4A0B-5B2C-466E-8C53-104288083BA2",
"versionEndExcluding": "2.7.13",
"versionStartIncluding": "2.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13"
},
{
"lang": "es",
"value": "Algunos componentes en Dubbo intentar\u00e1n imprimir la cadena formateada de los argumentos de entrada, lo que posiblemente causar\u00e1 RCE para un bean personalizado maliciosamente con el m\u00e9todo especial toString. En la \u00faltima versi\u00f3n, corregimos la llamada a toString en timeout, cache y algunos otros lugares. Corregido en Apache Dubbo versi\u00f3n 2.7.13"
}
],
"id": "CVE-2021-36161",
"lastModified": "2024-11-21T06:13:13.923",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-09T08:15:28.667",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-134"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-36162
Vulnerability from fkie_nvd - Published: 2021-09-07 10:15 - Updated: 2024-11-21 06:13
Severity ?
Summary
Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers will use SnakeYAML library to load the rules which by default will enable calling arbitrary constructors. An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them. This was fixed in Dubbo 2.7.13, 3.0.2
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5520546-424D-48E9-BAF1-F9F9969B81F9",
"versionEndIncluding": "2.7.12",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6E13EEA-50E4-4E45-9C9E-8E32F6A765A5",
"versionEndIncluding": "3.0.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers will use SnakeYAML library to load the rules which by default will enable calling arbitrary constructors. An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them. This was fixed in Dubbo 2.7.13, 3.0.2"
},
{
"lang": "es",
"value": "Apache Dubbo es compatible con varias reglas para soportar la anulaci\u00f3n de la configuraci\u00f3n o el enrutamiento del tr\u00e1fico (llamado enrutamiento en Dubbo). Estas reglas son cargadas en el centro de configuraci\u00f3n (por ejemplo: Zookeeper, Nacos, ...) y son recuperadas por los clientes cuando hacen una petici\u00f3n con el fin de encontrar el endpoint correcto. Cuando son analizadas estas reglas YAML, los clientes de Dubbo usar\u00e1n la biblioteca SnakeYAML para cargar las reglas que, por defecto, permitir\u00e1n llamar a constructores arbitrarios. Un atacante con acceso al centro de configuraci\u00f3n podr\u00e1 envenenar la regla para que cuando sea recuperada por los consumidores, obtenga RCE en todos ellos. Esto fue corregido en Dubbo versiones 2.7.13, 3.0.2"
}
],
"id": "CVE-2021-36162",
"lastModified": "2024-11-21T06:13:14.037",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-07T10:15:07.253",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-36163
Vulnerability from fkie_nvd - Published: 2021-09-07 10:15 - Updated: 2024-11-21 06:13
Severity ?
Summary
In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B5520546-424D-48E9-BAF1-F9F9969B81F9",
"versionEndIncluding": "2.7.12",
"versionStartIncluding": "2.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6E13EEA-50E4-4E45-9C9E-8E32F6A765A5",
"versionEndIncluding": "3.0.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1"
},
{
"lang": "es",
"value": "En Apache Dubbo, unos usuarios pueden elegir usar el protocolo Hessian. El protocolo Hessian es implementado sobre HTTP y pasa el cuerpo de una petici\u00f3n POST directamente a un HessianSkeleton: Los nuevos HessianSkeleton son creados sin ninguna configuraci\u00f3n de la f\u00e1brica de serializaci\u00f3n y, por tanto, sin aplicar las propiedades de Dubbo para aplicar listas de tipos permitidos o bloqueados. Adem\u00e1s, el servicio gen\u00e9rico siempre est\u00e1 expuesto y, por tanto, los atacantes no necesitan averiguar un par de nombres de servicio/m\u00e9todo v\u00e1lidos. Esto se ha corregido en las versiones 2.7.13, 2.6.10.1"
}
],
"id": "CVE-2021-36163",
"lastModified": "2024-11-21T06:13:14.167",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-07T10:15:07.333",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-46279 (GCVE-0-2023-46279)
Vulnerability from cvelistv5 – Published: 2023-12-15 08:15 – Updated: 2025-02-13 17:14
VLAI?
Title
Apache Dubbo: Bypass deny serialize list check in Apache Dubbo
Summary
Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5.
Users are recommended to upgrade to the latest version, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
3.1.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:40.310Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/zw53nxrkrfswmk9n3sfwxmcj7x030nmo"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/15/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Apache Dubbo.\u003cp\u003eThis issue only affects Apache Dubbo 3.1.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to the latest version, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5.\n\nUsers are recommended to upgrade to the latest version, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-15T08:20:07.536Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/zw53nxrkrfswmk9n3sfwxmcj7x030nmo"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/12/15/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Dubbo: Bypass deny serialize list check in Apache Dubbo",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-46279",
"datePublished": "2023-12-15T08:15:56.146Z",
"dateReserved": "2023-10-20T06:54:30.344Z",
"dateUpdated": "2025-02-13T17:14:24.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29234 (GCVE-0-2023-29234)
Vulnerability from cvelistv5 – Published: 2023-12-15 08:14 – Updated: 2025-02-13 16:49
VLAI?
Title
Bypass serialize checks in Apache Dubbo
Summary
A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4.
Users are recommended to upgrade to the latest version, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
3.1.0 , ≤ 3.1.10
(semver)
Affected: 3.2.0 , ≤ 3.2.4 (semver) |
Credits
Bofei Chen, Lei Zhang, Guangliang Yang, Keke Lian and Xinyou Huang
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:15.993Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94rllx8f77"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/15/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.1.10",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.2.4",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bofei Chen, Lei Zhang, Guangliang Yang, Keke Lian and Xinyou Huang"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A deserialization vulnerability existed when decode a\u0026nbsp;malicious package.\u003cp\u003eThis issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to the latest version, which fixes the issue.\u003c/p\u003e"
}
],
"value": "A deserialization vulnerability existed when decode a\u00a0malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4.\n\nUsers are recommended to upgrade to the latest version, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-15T08:15:07.526Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94rllx8f77"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/12/15/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Bypass serialize checks in Apache Dubbo",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-29234",
"datePublished": "2023-12-15T08:14:47.561Z",
"dateReserved": "2023-04-04T09:31:05.236Z",
"dateUpdated": "2025-02-13T16:49:03.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23638 (GCVE-0-2023-23638)
Vulnerability from cvelistv5 – Published: 2023-03-08 10:48 – Updated: 2024-10-23 16:41
VLAI?
Title
Apache Dubbo Deserialization Vulnerability Gadgets Bypass
Summary
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution.
This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.
Severity ?
5 (Medium)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
Apache Dubbo 2.7.x , ≤ 2.7.21
(maven)
Affected: Apache Dubbo 3.0.x , ≤ 3.0.13 (maven) Affected: Apache Dubbo 3.1.x , ≤ 3.1.5 (maven) |
Credits
yemoli、R1ckyZ、Koishi、cxc
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.761Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T16:41:19.165832Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T16:41:29.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.7.21",
"status": "affected",
"version": "Apache Dubbo 2.7.x",
"versionType": "maven"
},
{
"lessThanOrEqual": "3.0.13",
"status": "affected",
"version": "Apache Dubbo 3.0.x",
"versionType": "maven"
},
{
"lessThanOrEqual": "3.1.5",
"status": "affected",
"version": "Apache Dubbo 3.1.x",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yemoli\u3001R1ckyZ\u3001Koishi\u3001cxc"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. \u003cbr\u003e\u003cbr\u003eThis issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. "
}
],
"value": "A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. \n\nThis issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-08T10:48:58.574Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Dubbo Deserialization Vulnerability Gadgets Bypass",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-23638",
"datePublished": "2023-03-08T10:48:58.574Z",
"dateReserved": "2023-01-17T04:09:09.075Z",
"dateUpdated": "2024-10-23T16:41:29.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32824 (GCVE-0-2021-32824)
Vulnerability from cvelistv5 – Published: 2023-01-03 00:00 – Updated: 2025-03-10 21:33
VLAI?
Title
Regular expression Denial of Service in MooTools
Summary
Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-32824",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:02:39.261493Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:33:25.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Dubbo",
"vendor": "Apache",
"versions": [
{
"lessThan": "2.6.10",
"status": "affected",
"version": "2.6.10",
"versionType": "custom"
},
{
"lessThan": "2.7.10",
"status": "affected",
"version": "2.7.10",
"versionType": "custom"
},
{
"lessThan": "2.7.0*",
"status": "affected",
"version": "2.7.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-03T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
}
],
"source": {
"advisory": "GHSL-2021-039",
"defect": [
"GHSL-2021-039"
],
"discovery": "UNKNOWN"
},
"title": "Regular expression Denial of Service in MooTools",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32824",
"datePublished": "2023-01-03T00:00:00.000Z",
"dateReserved": "2021-05-12T00:00:00.000Z",
"dateUpdated": "2025-03-10T21:33:25.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39198 (GCVE-0-2022-39198)
Vulnerability from cvelistv5 – Published: 2022-10-18 00:00 – Updated: 2025-05-13 14:48
VLAI?
Title
Apache Dubbo Hession Deserialization Vulnerability Gadgets Bypass
Summary
A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
Apache Dubbo 2.7.x , ≤ 2.7.17
(custom)
Affected: Apache Dubbo 3.0.x , ≤ 3.0.11 (custom) Affected: Apache Dubbo 3.1.x , ≤ 3.1.0 (custom) |
Credits
yemoli&cxc
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.797Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-39198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T14:48:24.261938Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T14:48:42.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.7.17",
"status": "affected",
"version": "Apache Dubbo 2.7.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.0.11",
"status": "affected",
"version": "Apache Dubbo 3.0.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.1.0",
"status": "affected",
"version": "Apache Dubbo 3.1.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "yemoli\u0026cxc"
}
],
"descriptions": [
{
"lang": "en",
"value": "A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-18T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Dubbo Hession Deserialization Vulnerability Gadgets Bypass",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-39198",
"datePublished": "2022-10-18T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-05-13T14:48:42.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24969 (GCVE-0-2022-24969)
Vulnerability from cvelistv5 – Published: 2022-06-06 22:00 – Updated: 2024-08-03 04:29
VLAI?
Title
bypass of CVE-2021-25640
Summary
bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.
Severity ?
No CVSS data available.
CWE
- CWE-918 - bypass CVE-2021-25640 (CWE-918 Server-Side Request Forgery (SSRF))
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
Apache Dubbo 2.7.x , < 2.7.15
(custom)
Affected: Apache Dubbo 2.6.x , ≤ 2.6.12 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.7.15",
"status": "affected",
"version": "Apache Dubbo 2.7.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.6.12",
"status": "affected",
"version": "Apache Dubbo 2.6.x",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "bypass CVE-2021-25640 \u003e In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "bypass CVE-2021-25640 (CWE-918 Server-Side Request Forgery (SSRF))",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-06T22:00:16",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "bypass of CVE-2021-25640",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-24969",
"STATE": "PUBLIC",
"TITLE": "bypass of CVE-2021-25640"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Dubbo",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Dubbo 2.7.x",
"version_value": "2.7.15"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Dubbo 2.6.x",
"version_value": "2.6.12"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "bypass CVE-2021-25640 \u003e In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "bypass CVE-2021-25640 (CWE-918 Server-Side Request Forgery (SSRF))"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-24969",
"datePublished": "2022-06-06T22:00:16",
"dateReserved": "2022-02-11T00:00:00",
"dateUpdated": "2024-08-03T04:29:01.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43297 (GCVE-0-2021-43297)
Vulnerability from cvelistv5 – Published: 2022-01-10 15:25 – Updated: 2024-08-04 03:55
VLAI?
Title
Dubbo Hessian cause RCE when parse error
Summary
A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
Apache Dubbo 2.6.x , < 2.6.12
(custom)
Affected: Apache Dubbo 2.7.x , < 2.7.15 (custom) Affected: Apache Dubbo 3.0.x , < 3.0.5 (custom) |
Credits
There are differences in the use of entrances. The following people or organizations reported security vulnerabilities independently. Sort by discovery time: 1. cxc&yhbl&wh1t3p1g&fynch3r from G5-RD6@IIE 2. yxxx
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:28.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.6.12",
"status": "affected",
"version": "Apache Dubbo 2.6.x",
"versionType": "custom"
},
{
"lessThan": "2.7.15",
"status": "affected",
"version": "Apache Dubbo 2.7.x",
"versionType": "custom"
},
{
"lessThan": "3.0.5",
"status": "affected",
"version": "Apache Dubbo 3.0.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "There are differences in the use of entrances. The following people or organizations reported security vulnerabilities independently. Sort by discovery time: 1. cxc\u0026yhbl\u0026wh1t3p1g\u0026fynch3r from G5-RD6@IIE 2. yxxx"
}
],
"descriptions": [
{
"lang": "en",
"value": "A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5."
}
],
"metrics": [
{
"other": {
"content": {
"other": "high"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-10T15:25:48",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Dubbo Hessian cause RCE when parse error",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-43297",
"STATE": "PUBLIC",
"TITLE": "Dubbo Hessian cause RCE when parse error"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Dubbo",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Dubbo 2.6.x",
"version_value": "2.6.12"
},
{
"version_affected": "\u003c",
"version_name": "Apache Dubbo 2.7.x",
"version_value": "2.7.15"
},
{
"version_affected": "\u003c",
"version_name": "Apache Dubbo 3.0.x",
"version_value": "3.0.5"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "There are differences in the use of entrances. The following people or organizations reported security vulnerabilities independently. Sort by discovery time: 1. cxc\u0026yhbl\u0026wh1t3p1g\u0026fynch3r from G5-RD6@IIE 2. yxxx"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-43297",
"datePublished": "2022-01-10T15:25:48",
"dateReserved": "2021-11-03T00:00:00",
"dateUpdated": "2024-08-04T03:55:28.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37579 (GCVE-0-2021-37579)
Vulnerability from cvelistv5 – Published: 2021-09-09 07:45 – Updated: 2024-08-04 01:23
VLAI?
Title
Bypass deserialization checks in Apache Dubbo
Summary
The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found.
Severity ?
No CVSS data available.
CWE
- Remote Code Execution by tempering the serialization id on server side.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
Apache Dubbo 2.7.x , ≤ 2.7.12
(custom)
Affected: Apache Dubbo 3.0.x , ≤ 3.0.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.7.12",
"status": "affected",
"version": "Apache Dubbo 2.7.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "Apache Dubbo 3.0.x",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there\u0027s an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution by tempering the serialization id on server side.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-09T07:45:12",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Bypass deserialization checks in Apache Dubbo",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-37579",
"STATE": "PUBLIC",
"TITLE": "Bypass deserialization checks in Apache Dubbo"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Dubbo",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Dubbo 2.7.x",
"version_value": "2.7.12"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Dubbo 3.0.x",
"version_value": "3.0.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there\u0027s an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution by tempering the serialization id on server side."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-37579",
"datePublished": "2021-09-09T07:45:12",
"dateReserved": "2021-07-27T00:00:00",
"dateUpdated": "2024-08-04T01:23:01.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36161 (GCVE-0-2021-36161)
Vulnerability from cvelistv5 – Published: 2021-09-09 07:45 – Updated: 2024-08-04 00:47
VLAI?
Title
Unprotected input value toString cause RCE
Summary
Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13
Severity ?
No CVSS data available.
CWE
- Remote Code Execution
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
Apache Dubbo 2.7.x , ≤ 2.7.12
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.813Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.7.12",
"status": "affected",
"version": "Apache Dubbo 2.7.x",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-09T07:45:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unprotected input value toString cause RCE",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-36161",
"STATE": "PUBLIC",
"TITLE": "Unprotected input value toString cause RCE"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Dubbo",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Dubbo 2.7.x",
"version_value": "2.7.12"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-36161",
"datePublished": "2021-09-09T07:45:11",
"dateReserved": "2021-07-06T00:00:00",
"dateUpdated": "2024-08-04T00:47:43.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36163 (GCVE-0-2021-36163)
Vulnerability from cvelistv5 – Published: 2021-09-07 09:25 – Updated: 2024-08-04 00:47
VLAI?
Title
Unsafe deserialization in providers using the Hessian protocol
Summary
In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1
Severity ?
No CVSS data available.
CWE
- Remote Code Execution by tempering the serialization id on server side.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
Apache Dubbo 2.7.x , ≤ 2.7.12
(custom)
Affected: Apache Dubbo 2.6.x , ≤ 2.6.10 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.869Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.7.12",
"status": "affected",
"version": "Apache Dubbo 2.7.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.6.10",
"status": "affected",
"version": "Apache Dubbo 2.6.x",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution by tempering the serialization id on server side.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-07T09:25:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unsafe deserialization in providers using the Hessian protocol",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-36163",
"STATE": "PUBLIC",
"TITLE": "Unsafe deserialization in providers using the Hessian protocol"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Dubbo",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Dubbo 2.7.x",
"version_value": "2.7.12"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Dubbo 2.6.x",
"version_value": "2.6.10"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution by tempering the serialization id on server side."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-36163",
"datePublished": "2021-09-07T09:25:11",
"dateReserved": "2021-07-06T00:00:00",
"dateUpdated": "2024-08-04T00:47:43.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46279 (GCVE-0-2023-46279)
Vulnerability from nvd – Published: 2023-12-15 08:15 – Updated: 2025-02-13 17:14
VLAI?
Title
Apache Dubbo: Bypass deny serialize list check in Apache Dubbo
Summary
Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5.
Users are recommended to upgrade to the latest version, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
3.1.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:40.310Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/zw53nxrkrfswmk9n3sfwxmcj7x030nmo"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/15/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Apache Dubbo.\u003cp\u003eThis issue only affects Apache Dubbo 3.1.5.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to the latest version, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5.\n\nUsers are recommended to upgrade to the latest version, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-15T08:20:07.536Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/zw53nxrkrfswmk9n3sfwxmcj7x030nmo"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/12/15/3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Dubbo: Bypass deny serialize list check in Apache Dubbo",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-46279",
"datePublished": "2023-12-15T08:15:56.146Z",
"dateReserved": "2023-10-20T06:54:30.344Z",
"dateUpdated": "2025-02-13T17:14:24.160Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29234 (GCVE-0-2023-29234)
Vulnerability from nvd – Published: 2023-12-15 08:14 – Updated: 2025-02-13 16:49
VLAI?
Title
Bypass serialize checks in Apache Dubbo
Summary
A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4.
Users are recommended to upgrade to the latest version, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
3.1.0 , ≤ 3.1.10
(semver)
Affected: 3.2.0 , ≤ 3.2.4 (semver) |
Credits
Bofei Chen, Lei Zhang, Guangliang Yang, Keke Lian and Xinyou Huang
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:15.993Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94rllx8f77"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/12/15/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "3.1.10",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.2.4",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bofei Chen, Lei Zhang, Guangliang Yang, Keke Lian and Xinyou Huang"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A deserialization vulnerability existed when decode a\u0026nbsp;malicious package.\u003cp\u003eThis issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to the latest version, which fixes the issue.\u003c/p\u003e"
}
],
"value": "A deserialization vulnerability existed when decode a\u00a0malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4.\n\nUsers are recommended to upgrade to the latest version, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-15T08:15:07.526Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94rllx8f77"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/12/15/2"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Bypass serialize checks in Apache Dubbo",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-29234",
"datePublished": "2023-12-15T08:14:47.561Z",
"dateReserved": "2023-04-04T09:31:05.236Z",
"dateUpdated": "2025-02-13T16:49:03.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23638 (GCVE-0-2023-23638)
Vulnerability from nvd – Published: 2023-03-08 10:48 – Updated: 2024-10-23 16:41
VLAI?
Title
Apache Dubbo Deserialization Vulnerability Gadgets Bypass
Summary
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution.
This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.
Severity ?
5 (Medium)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
Apache Dubbo 2.7.x , ≤ 2.7.21
(maven)
Affected: Apache Dubbo 3.0.x , ≤ 3.0.13 (maven) Affected: Apache Dubbo 3.1.x , ≤ 3.1.5 (maven) |
Credits
yemoli、R1ckyZ、Koishi、cxc
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.761Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-23638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T16:41:19.165832Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T16:41:29.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.7.21",
"status": "affected",
"version": "Apache Dubbo 2.7.x",
"versionType": "maven"
},
{
"lessThanOrEqual": "3.0.13",
"status": "affected",
"version": "Apache Dubbo 3.0.x",
"versionType": "maven"
},
{
"lessThanOrEqual": "3.1.5",
"status": "affected",
"version": "Apache Dubbo 3.1.x",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "yemoli\u3001R1ckyZ\u3001Koishi\u3001cxc"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. \u003cbr\u003e\u003cbr\u003eThis issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. "
}
],
"value": "A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. \n\nThis issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-08T10:48:58.574Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Dubbo Deserialization Vulnerability Gadgets Bypass",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-23638",
"datePublished": "2023-03-08T10:48:58.574Z",
"dateReserved": "2023-01-17T04:09:09.075Z",
"dateUpdated": "2024-10-23T16:41:29.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32824 (GCVE-0-2021-32824)
Vulnerability from nvd – Published: 2023-01-03 00:00 – Updated: 2025-03-10 21:33
VLAI?
Title
Regular expression Denial of Service in MooTools
Summary
Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-32824",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-10T21:02:39.261493Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-10T21:33:25.495Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Dubbo",
"vendor": "Apache",
"versions": [
{
"lessThan": "2.6.10",
"status": "affected",
"version": "2.6.10",
"versionType": "custom"
},
{
"lessThan": "2.7.10",
"status": "affected",
"version": "2.7.10",
"versionType": "custom"
},
{
"lessThan": "2.7.0*",
"status": "affected",
"version": "2.7.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-03T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
}
],
"source": {
"advisory": "GHSL-2021-039",
"defect": [
"GHSL-2021-039"
],
"discovery": "UNKNOWN"
},
"title": "Regular expression Denial of Service in MooTools",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32824",
"datePublished": "2023-01-03T00:00:00.000Z",
"dateReserved": "2021-05-12T00:00:00.000Z",
"dateUpdated": "2025-03-10T21:33:25.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39198 (GCVE-0-2022-39198)
Vulnerability from nvd – Published: 2022-10-18 00:00 – Updated: 2025-05-13 14:48
VLAI?
Title
Apache Dubbo Hession Deserialization Vulnerability Gadgets Bypass
Summary
A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
Apache Dubbo 2.7.x , ≤ 2.7.17
(custom)
Affected: Apache Dubbo 3.0.x , ≤ 3.0.11 (custom) Affected: Apache Dubbo 3.1.x , ≤ 3.1.0 (custom) |
Credits
yemoli&cxc
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.797Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-39198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T14:48:24.261938Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T14:48:42.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.7.17",
"status": "affected",
"version": "Apache Dubbo 2.7.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.0.11",
"status": "affected",
"version": "Apache Dubbo 3.0.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.1.0",
"status": "affected",
"version": "Apache Dubbo 3.1.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "yemoli\u0026cxc"
}
],
"descriptions": [
{
"lang": "en",
"value": "A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions."
}
],
"metrics": [
{
"other": {
"content": {
"other": "moderate"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-18T00:00:00.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"url": "https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Dubbo Hession Deserialization Vulnerability Gadgets Bypass",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-39198",
"datePublished": "2022-10-18T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-05-13T14:48:42.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24969 (GCVE-0-2022-24969)
Vulnerability from nvd – Published: 2022-06-06 22:00 – Updated: 2024-08-03 04:29
VLAI?
Title
bypass of CVE-2021-25640
Summary
bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.
Severity ?
No CVSS data available.
CWE
- CWE-918 - bypass CVE-2021-25640 (CWE-918 Server-Side Request Forgery (SSRF))
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
Apache Dubbo 2.7.x , < 2.7.15
(custom)
Affected: Apache Dubbo 2.6.x , ≤ 2.6.12 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.633Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.7.15",
"status": "affected",
"version": "Apache Dubbo 2.7.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "2.6.12",
"status": "affected",
"version": "Apache Dubbo 2.6.x",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "bypass CVE-2021-25640 \u003e In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "bypass CVE-2021-25640 (CWE-918 Server-Side Request Forgery (SSRF))",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-06T22:00:16",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "bypass of CVE-2021-25640",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-24969",
"STATE": "PUBLIC",
"TITLE": "bypass of CVE-2021-25640"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Dubbo",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Dubbo 2.7.x",
"version_value": "2.7.15"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Dubbo 2.6.x",
"version_value": "2.6.12"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "bypass CVE-2021-25640 \u003e In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "bypass CVE-2021-25640 (CWE-918 Server-Side Request Forgery (SSRF))"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-24969",
"datePublished": "2022-06-06T22:00:16",
"dateReserved": "2022-02-11T00:00:00",
"dateUpdated": "2024-08-03T04:29:01.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43297 (GCVE-0-2021-43297)
Vulnerability from nvd – Published: 2022-01-10 15:25 – Updated: 2024-08-04 03:55
VLAI?
Title
Dubbo Hessian cause RCE when parse error
Summary
A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
Apache Dubbo 2.6.x , < 2.6.12
(custom)
Affected: Apache Dubbo 2.7.x , < 2.7.15 (custom) Affected: Apache Dubbo 3.0.x , < 3.0.5 (custom) |
Credits
There are differences in the use of entrances. The following people or organizations reported security vulnerabilities independently. Sort by discovery time: 1. cxc&yhbl&wh1t3p1g&fynch3r from G5-RD6@IIE 2. yxxx
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:28.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.6.12",
"status": "affected",
"version": "Apache Dubbo 2.6.x",
"versionType": "custom"
},
{
"lessThan": "2.7.15",
"status": "affected",
"version": "Apache Dubbo 2.7.x",
"versionType": "custom"
},
{
"lessThan": "3.0.5",
"status": "affected",
"version": "Apache Dubbo 3.0.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "There are differences in the use of entrances. The following people or organizations reported security vulnerabilities independently. Sort by discovery time: 1. cxc\u0026yhbl\u0026wh1t3p1g\u0026fynch3r from G5-RD6@IIE 2. yxxx"
}
],
"descriptions": [
{
"lang": "en",
"value": "A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5."
}
],
"metrics": [
{
"other": {
"content": {
"other": "high"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-10T15:25:48",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Dubbo Hessian cause RCE when parse error",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-43297",
"STATE": "PUBLIC",
"TITLE": "Dubbo Hessian cause RCE when parse error"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Dubbo",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "Apache Dubbo 2.6.x",
"version_value": "2.6.12"
},
{
"version_affected": "\u003c",
"version_name": "Apache Dubbo 2.7.x",
"version_value": "2.7.15"
},
{
"version_affected": "\u003c",
"version_name": "Apache Dubbo 3.0.x",
"version_value": "3.0.5"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "There are differences in the use of entrances. The following people or organizations reported security vulnerabilities independently. Sort by discovery time: 1. cxc\u0026yhbl\u0026wh1t3p1g\u0026fynch3r from G5-RD6@IIE 2. yxxx"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-43297",
"datePublished": "2022-01-10T15:25:48",
"dateReserved": "2021-11-03T00:00:00",
"dateUpdated": "2024-08-04T03:55:28.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-37579 (GCVE-0-2021-37579)
Vulnerability from nvd – Published: 2021-09-09 07:45 – Updated: 2024-08-04 01:23
VLAI?
Title
Bypass deserialization checks in Apache Dubbo
Summary
The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found.
Severity ?
No CVSS data available.
CWE
- Remote Code Execution by tempering the serialization id on server side.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
Apache Dubbo 2.7.x , ≤ 2.7.12
(custom)
Affected: Apache Dubbo 3.0.x , ≤ 3.0.1 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:23:01.305Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.7.12",
"status": "affected",
"version": "Apache Dubbo 2.7.x",
"versionType": "custom"
},
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "Apache Dubbo 3.0.x",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there\u0027s an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution by tempering the serialization id on server side.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-09T07:45:12",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Bypass deserialization checks in Apache Dubbo",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-37579",
"STATE": "PUBLIC",
"TITLE": "Bypass deserialization checks in Apache Dubbo"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Dubbo",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Dubbo 2.7.x",
"version_value": "2.7.12"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Dubbo 3.0.x",
"version_value": "3.0.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there\u0027s an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution by tempering the serialization id on server side."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-37579",
"datePublished": "2021-09-09T07:45:12",
"dateReserved": "2021-07-27T00:00:00",
"dateUpdated": "2024-08-04T01:23:01.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36161 (GCVE-0-2021-36161)
Vulnerability from nvd – Published: 2021-09-09 07:45 – Updated: 2024-08-04 00:47
VLAI?
Title
Unprotected input value toString cause RCE
Summary
Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13
Severity ?
No CVSS data available.
CWE
- Remote Code Execution
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo |
Affected:
Apache Dubbo 2.7.x , ≤ 2.7.12
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.813Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Dubbo",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.7.12",
"status": "affected",
"version": "Apache Dubbo 2.7.x",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-09T07:45:11",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unprotected input value toString cause RCE",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-36161",
"STATE": "PUBLIC",
"TITLE": "Unprotected input value toString cause RCE"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Dubbo",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Dubbo 2.7.x",
"version_value": "2.7.12"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-36161",
"datePublished": "2021-09-09T07:45:11",
"dateReserved": "2021-07-06T00:00:00",
"dateUpdated": "2024-08-04T00:47:43.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}