Lucene search

GitHub Advisory DatabaseGHSA-933G-V89R-X8PF

HistoryMar 08, 2023 - 12:30 p.m.

Apache Dubbo vulnerable to Deserialization of Untrusted Data

2023-03-0812:30:16

CWE-502

GitHub Advisory Database

github.com

apache dubbo

deserialization

vulnerability

malicious code execution

2.7.x

3.0.x

3.1.x

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.015 Low

EPSS

Percentile

86.9%

JSON

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.

Affected configurations

Vulners

Node

org.apache.dubbo\Matchdubbo

CPENameOperatorVersion
org.apache.dubbo:dubbolt2.7.21
org.apache.dubbo:dubbolt3.1.5
org.apache.dubbo:dubbolt3.0.13

Name	Operator	Version
org.apache.dubbo:dubbo	lt	2.7.21
org.apache.dubbo:dubbo	lt	3.1.5
org.apache.dubbo:dubbo	lt	3.0.13

References

github.com/advisories/GHSA-933g-v89r-x8pf

lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb

nvd.nist.gov/vuln/detail/CVE-2023-23638

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.015 Low

EPSS

Percentile

86.9%

JSON

Related for GHSA-933G-V89R-X8PF