CVE-2021-25641

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following t...

cc.akkaha:pea-dubbo_2.12 (>=0.6.0 <=0.7.0), cc.akkaha:pea_2.12 (>=0.6.0 <=0.7.0) +253 more potentially affected by CVE-2021-25641 via org.apache.dubbo:dubbo (>=2.7.0 <=2.7.7)

org.apache.dubbo:dubbo MAVEN version =2.7.0, =0.6.0, =0.6.0, =1.0.2, =1.0.2, =1.2.1, =1.28.0, =1.0.0, =0.1.3, =0.1.0, =1.00, =2.0.0.RELEASE, =2.0.1.RELEASE and more Source cves: CVE-2021-25641 Source advisory: OSV:GHSA-V2RG-8CWR-75G8...

cc.akkaha:asura-core_2.12 (=0.3.0), cc.akkaha:asura-dubbo_2.12 (>=0.2.0 <=0.6.0) +285 more potentially affected by CVE-2021-25641 via com.alibaba:dubbo (>=2.5.10 <=2.6.8)

com.alibaba:dubbo MAVEN version =2.5.10, =0.2.0, =0.1.5, =0.1.5, =11.0.1-RELEASE, =11.0.1-RELEASE, =1.0, =1.4.0, =1.4.0, =1.4.0, =1.0.0, =1.0.1 and more Source cves: CVE-2021-25641 Source advisory: OSV:GHSA-V2RG-8CWR-75G8...

CVE-2021-25641

creationtimestamp| type| source ---|---|--- 2021-06-26 13:48:07+00:00| published-proof-of-concept| https://t.me/CyberSecurityTechnologies/3699 2021-08-02 20:29:04+00:00| published-proof-of-concept| Telegram/Tvd8QL4SENBdyhrOX8ClGh5gThmxL9slOp2aXg1VdaPgg...

Exploit for Deserialization of Untrusted Data in Apache Dubbo

The 0xDABB of Doom - CVE-2021-25641-Proof-of-Concept Apache/Al...