CVE-2022-39198

2022-10-1819:15:10

CWE-502

[email protected]

web.nvd.nist.gov

cve-2022-39198

dubbo

hessian-lite

deserialization vulnerability

code execution

nvd

apache dubbo

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.011 Low

EPSS

Percentile

84.8%

JSON

A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.

Affected configurations

Vulners

NVD

Node

apachedubboRange≤2.7.17

apachedubboRange≤3.0.11

apachedubboRange≤3.1.0

CPENameOperatorVersion
apache:dubboapache dubbole2.7.17
apache:dubboapache dubbole3.0.11
apache:dubboapache dubboeq3.1.0

CPE	Name	Operator	Version
apache:dubbo	apache dubbo	le	2.7.17
apache:dubbo	apache dubbo	le	3.0.11
apache:dubbo	apache dubbo	eq	3.1.0

CNA Affected

[
  {
    "vendor": "Apache Software Foundation",
    "product": "Apache Dubbo",
    "versions": [
      {
        "version": "Apache Dubbo 2.7.x",
        "status": "affected",
        "lessThanOrEqual": "2.7.17",
        "versionType": "custom"
      },
      {
        "version": "Apache Dubbo 3.0.x",
        "status": "affected",
        "lessThanOrEqual": "3.0.11",
        "versionType": "custom"
      },
      {
        "version": "Apache Dubbo 3.1.x",
        "status": "affected",
        "lessThanOrEqual": "3.1.0",
        "versionType": "custom"
      }
    ]
  }
]