EUVD-2021-2103

Malware in sbrugna...

CVE-2021-30179

Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API...

CVE-2020-1948

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More detai...

Exploit for Deserialization of Untrusted Data in Apache Dubbo

Apache Dubbo 反序列化漏洞CVE-2023-29234 is a vulnerability in the Apache Dubbo framework, which allows an attacker to execute arbitrary code on the server-side. The vulnerability is caused by a deserialization issue in the Dubbo framework, which can be exploited by sending a specially crafted serialize...

The vulnerability of the Apache Dubbo RPC framework, related to deficiencies in the deserialization mechanism, allows attackers to execute arbitrary code or cause service failures.

The vulnerability of the Apache Dubbo RPC framework is related to deficiencies in the deserialization mechanism. Exploiting this vulnerability allows a malicious actor to execute arbitrary code or cause service failures...

Insecure Deserialization

dubbo is vulnerable to Insecure Deserialization. The vulnerability is caused due to lack of validation of untrusted user data. An attacker can modify application data, perform a DoS attack or execute arbitrary code by exploiting this vulnerability...

cc.uncarbon.framework:helio-starter-dubbo (>=1.7.0 <=1.11.1), io.basc.framework:dubbo (>=1.8.0 <=1.8.1) +15 more potentially affected by CVE-2023-29234 via org.apache.dubbo:dubbo (>=3.1.0 <=3.1.10)

org.apache.dubbo:dubbo MAVEN version =3.1.0, =1.7.0, =1.8.0, =0.0.1.RC1, =0.0.1.RC1, =2022.10, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =2.5.1, =1.0.7, =1.0.15.1 and more Source cves: CVE-2023-29234 Source advisory: OSV:GHSA-6X49-W35H-WQRJ...

cc.uncarbon.framework:helio-starter-dubbo (>=2.0.0 <=2.2.0), cn.dev33:sa-token-dubbo3 (>=1.35.0.RC <=1.45.0) +52 more potentially affected by CVE-2023-29234 via org.apache.dubbo:dubbo (>=3.2.0 <=3.2.4)

org.apache.dubbo:dubbo MAVEN version =3.2.0, =2.0.0, =1.35.0.RC, =2023.0.0.0, =2023.0.0.0-beta2, =4.0.5, =4.0.5, =1.2.0, =1.0.0, =1.0.0, =1.0.0, =3.0.2, =3.0.6 - com.mobaijun:loadbalancer-spring-boot-starter =3.0.2 - com.mobaijun:test-spring-boot-starter-example =3.0.3 -...

cc.uncarbon.framework:helio-starter-dubbo (>=1.7.0 <=1.11.1), cn.katool.security:katool-security-core (=1.1.1.RELEASE) +27 more potentially affected by CVE-2023-23638 via org.apache.dubbo:dubbo (>=3.1.0 <=3.1.4)

org.apache.dubbo:dubbo MAVEN version =3.1.0, =1.7.0, =1.8.0, =0.0.1.RC1, =0.0.1.RC1, =0.0.1.RC2 and more Source cves: CVE-2023-23638 Source advisory: OSV:GHSA-933G-V89R-X8PF...

cc.jweb:jweb-adai (>=1.0.2 <=1.0.6), cc.jweb:jweb-boot (>=1.0.2 <=1.0.5) +92 more potentially affected by CVE-2022-39198 via org.apache.dubbo:dubbo (>=2.7.0 <=2.7.17)

org.apache.dubbo:dubbo MAVEN version =2.7.0, =1.0.2, =1.0.2, =1.2.1, =1.28.0, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =0.0.1, =2.2.7.RELEASE, =1.0.3, =1.0.3, =1.5.1, =2.0.1, =2.0.11 and more Source cves: CVE-2022-39198 Source advisory: OSV:GHSA-5QWQ-G2HX-R6...

GHSA-5QWQ-G2HX-R6F7 Hessian Lite for Apache Dubbo deserialization vulnerability

A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version...

cn.benma666:druid (=1.2.22), cn.hill4j.rpcext:rpc-ext-core (>=1.0 <=1.2) +149 more potentially affected by CVE-2021-25640 +1 more via com.alibaba:dubbo (>=2.5.10 <=2.6.10)

com.alibaba:dubbo MAVEN version =2.5.10, =1.0, =1.0.0, =1.0.0, =2.19.10.0, =2.19.10.0, =1.0.0.RELEASE, =0.1.0, =4.2.1, =4.2.1, =4.2.1, =4.2.1, =4.2.18 and more Source cves: CVE-2021-25640, CVE-2022-24969 Source advisory: OSV:GHSA-GM48-83X4-84JG...

cc.jweb:jweb-adai (>=1.0.2 <=1.0.6), cc.jweb:jweb-boot (>=1.0.2 <=1.0.5) +74 more potentially affected by CVE-2021-25640 +1 more via org.apache.dubbo:dubbo (>=2.7.0 <=2.7.14)

org.apache.dubbo:dubbo MAVEN version =2.7.0, =1.0.2, =1.0.2, =1.2.1, =1.28.0, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =0.0.1, =1.0.3, =1.0.3, =1.5.1, =2.0.1, =2.0.11 and more Source cves: CVE-2021-25640, CVE-2022-24969 Source advisory:...

CVE-2022-24969

bypass CVE-2021-25640 In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability...

com.addplus9:addplus_action_dubbo (>=0.0.1 <=1.0.0), com.alibaba.csp:sentinel-apache-dubbo-adapter (>=1.5.1 <=1.7.0) +28 more potentially affected by CVE-2021-30180 via org.apache.dubbo:dubbo (>=2.7.0 <=2.7.1)

org.apache.dubbo:dubbo MAVEN version =2.7.0, =0.0.1, =1.5.1, =2.0.1, =0.1.3, =2.4.0, =2.4.0, =2.4.0, =1.0.0, =1.0, =1.2.4, =2.7.0, =1.3.1, =1.3.1, =1.4.4 and more Source cves: CVE-2021-30180 Source advisory: OSV:GHSA-7WFC-X4F7-GG2X...

com.addplus9:addplus_action_dubbo (>=0.0.1 <=1.0.0), com.alibaba.csp:sentinel-apache-dubbo-adapter (>=1.5.1 <=1.7.0) +28 more potentially affected by CVE-2021-30179 via org.apache.dubbo:dubbo (>=2.7.0 <=2.7.1)

org.apache.dubbo:dubbo MAVEN version =2.7.0, =0.0.1, =1.5.1, =2.0.1, =0.1.3, =2.4.0, =2.4.0, =2.4.0, =1.0.0, =1.0, =1.2.4, =2.7.0, =1.3.1, =1.3.1, =1.4.4 and more Source cves: CVE-2021-30179 Source advisory: OSV:GHSA-5MC7-M686-P6JG...

cc.akkaha:asura-core_2.12 (=0.3.0), cc.akkaha:asura-dubbo_2.12 (>=0.2.0 <=0.6.0) +285 more potentially affected by CVE-2021-30179 via com.alibaba:dubbo (>=2.5.10 <=2.6.8)

com.alibaba:dubbo MAVEN version =2.5.10, =0.2.0, =0.1.5, =0.1.5, =11.0.1-RELEASE, =11.0.1-RELEASE, =1.0, =1.4.0, =1.4.0, =1.4.0, =1.0.0, =1.0.1 and more Source cves: CVE-2021-30179 Source advisory: OSV:GHSA-5MC7-M686-P6JG...

cc.akkaha:asura-core_2.12 (=0.3.0), cc.akkaha:asura-dubbo_2.12 (>=0.2.0 <=0.6.0) +285 more potentially affected by CVE-2021-30181 via com.alibaba:dubbo (>=2.5.10 <=2.6.8)

com.alibaba:dubbo MAVEN version =2.5.10, =0.2.0, =0.1.5, =0.1.5, =11.0.1-RELEASE, =11.0.1-RELEASE, =1.0, =1.4.0, =1.4.0, =1.4.0, =1.0.0, =1.0.1 and more Source cves: CVE-2021-30181 Source advisory: OSV:GHSA-QMFC-6WWW-FJQW...

com.addplus9:addplus_action_dubbo (>=0.0.1 <=1.0.0), com.alibaba.csp:sentinel-apache-dubbo-adapter (>=1.5.1 <=1.7.0) +28 more potentially affected by CVE-2021-25640 via org.apache.dubbo:dubbo (>=2.7.0 <=2.7.1)

org.apache.dubbo:dubbo MAVEN version =2.7.0, =0.0.1, =1.5.1, =2.0.1, =0.1.3, =2.4.0, =2.4.0, =2.4.0, =1.0.0, =1.0, =1.2.4, =2.7.0, =1.3.1, =1.3.1, =1.4.4 and more Source cves: CVE-2021-25640 Source advisory: OSV:GHSA-GW4J-4229-Q4PX...

cc.akkaha:asura-core_2.12 (=0.3.0), cc.akkaha:asura-dubbo_2.12 (>=0.2.0 <=0.6.0) +285 more potentially affected by CVE-2021-25640 via com.alibaba:dubbo (>=2.5.10 <=2.6.8)

com.alibaba:dubbo MAVEN version =2.5.10, =0.2.0, =0.1.5, =0.1.5, =11.0.1-RELEASE, =11.0.1-RELEASE, =1.0, =1.4.0, =1.4.0, =1.4.0, =1.0.0, =1.0.1 and more Source cves: CVE-2021-25640 Source advisory: OSV:GHSA-GW4J-4229-Q4PX...