3 matches found
CVE-2021-25641
Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following t...
cc.akkaha:asura-core_2.12 (=0.3.0), cc.akkaha:asura-dubbo_2.12 (>=0.2.0 <=0.6.0) +285 more potentially affected by CVE-2021-25641 via com.alibaba:dubbo (>=2.5.10 <=2.6.8)
com.alibaba:dubbo MAVEN version =2.5.10, =0.2.0, =0.1.5, =0.1.5, =11.0.1-RELEASE, =11.0.1-RELEASE, =1.0, =1.4.0, =1.4.0, =1.4.0, =1.0.0, =1.0.1 and more Source cves: CVE-2021-25641 Source advisory: OSV:GHSA-V2RG-8CWR-75G8...
Exploit for Deserialization of Untrusted Data in Apache Dubbo
The 0xDABB of Doom - CVE-2021-25641-Proof-of-Concept Apache/Al...