EUVD-2021-2103

Malware in sbrugna...

Insecure Deserialization

dubbo is vulnerable to Insecure Deserialization. The vulnerability is caused due to lack of validation of untrusted user data. An attacker can modify application data, perform a DoS attack or execute arbitrary code by exploiting this vulnerability...

cc.uncarbon.framework:helio-starter-dubbo (>=2.0.0 <=2.2.0), cn.dev33:sa-token-dubbo3 (>=1.35.0.RC <=1.45.0) +52 more potentially affected by CVE-2023-29234 via org.apache.dubbo:dubbo (>=3.2.0 <=3.2.4)

org.apache.dubbo:dubbo MAVEN version =3.2.0, =2.0.0, =1.35.0.RC, =2023.0.0.0, =2023.0.0.0-beta2, =4.0.5, =4.0.5, =1.2.0, =1.0.0, =1.0.0, =1.0.0, =3.0.2, =3.0.6 - com.mobaijun:loadbalancer-spring-boot-starter =3.0.2 - com.mobaijun:test-spring-boot-starter-example =3.0.3 -...

cc.uncarbon.framework:helio-starter-dubbo (>=1.7.0 <=1.11.1), io.basc.framework:dubbo (>=1.8.0 <=1.8.1) +15 more potentially affected by CVE-2023-29234 via org.apache.dubbo:dubbo (>=3.1.0 <=3.1.10)

org.apache.dubbo:dubbo MAVEN version =3.1.0, =1.7.0, =1.8.0, =0.0.1.RC1, =0.0.1.RC1, =2022.10, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =3.1.0, =2.5.1, =1.0.7, =1.0.15.1 and more Source cves: CVE-2023-29234 Source advisory: OSV:GHSA-6X49-W35H-WQRJ...

cc.uncarbon.framework:helio-starter-dubbo (>=1.7.0 <=1.11.1), cn.katool.security:katool-security-core (=1.1.1.RELEASE) +27 more potentially affected by CVE-2023-23638 via org.apache.dubbo:dubbo (>=3.1.0 <=3.1.4)

org.apache.dubbo:dubbo MAVEN version =3.1.0, =1.7.0, =1.8.0, =0.0.1.RC1, =0.0.1.RC1, =0.0.1.RC2 and more Source cves: CVE-2023-23638 Source advisory: OSV:GHSA-933G-V89R-X8PF...

cc.jweb:jweb-adai (>=1.0.2 <=1.0.6), cc.jweb:jweb-boot (>=1.0.2 <=1.0.5) +92 more potentially affected by CVE-2022-39198 via org.apache.dubbo:dubbo (>=2.7.0 <=2.7.17)

org.apache.dubbo:dubbo MAVEN version =2.7.0, =1.0.2, =1.0.2, =1.2.1, =1.28.0, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =0.0.1, =2.2.7.RELEASE, =1.0.3, =1.0.3, =1.5.1, =2.0.1, =2.0.11 and more Source cves: CVE-2022-39198 Source advisory: OSV:GHSA-5QWQ-G2HX-R6...

cc.jweb:jweb-adai (>=1.0.2 <=1.0.6), cc.jweb:jweb-boot (>=1.0.2 <=1.0.5) +74 more potentially affected by CVE-2021-25640 +1 more via org.apache.dubbo:dubbo (>=2.7.0 <=2.7.14)

org.apache.dubbo:dubbo MAVEN version =2.7.0, =1.0.2, =1.0.2, =1.2.1, =1.28.0, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =2.0.0.RELEASE, =0.0.1, =1.0.3, =1.0.3, =1.5.1, =2.0.1, =2.0.11 and more Source cves: CVE-2021-25640, CVE-2022-24969 Source advisory:...

cn.benma666:druid (=1.2.22), cn.hill4j.rpcext:rpc-ext-core (>=1.0 <=1.2) +149 more potentially affected by CVE-2021-25640 +1 more via com.alibaba:dubbo (>=2.5.10 <=2.6.10)

com.alibaba:dubbo MAVEN version =2.5.10, =1.0, =1.0.0, =1.0.0, =2.19.10.0, =2.19.10.0, =1.0.0.RELEASE, =0.1.0, =4.2.1, =4.2.1, =4.2.1, =4.2.1, =4.2.18 and more Source cves: CVE-2021-25640, CVE-2022-24969 Source advisory: OSV:GHSA-GM48-83X4-84JG...

CVE-2022-24969

bypass CVE-2021-25640 In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability...

com.addplus9:addplus_action_dubbo (>=0.0.1 <=1.0.0), com.alibaba.csp:sentinel-apache-dubbo-adapter (>=1.5.1 <=1.7.0) +28 more potentially affected by CVE-2021-30180 via org.apache.dubbo:dubbo (>=2.7.0 <=2.7.1)

org.apache.dubbo:dubbo MAVEN version =2.7.0, =0.0.1, =1.5.1, =2.0.1, =0.1.3, =2.4.0, =2.4.0, =2.4.0, =1.0.0, =1.0, =1.2.4, =2.7.0, =1.3.1, =1.3.1, =1.4.4 and more Source cves: CVE-2021-30180 Source advisory: OSV:GHSA-7WFC-X4F7-GG2X...

com.addplus9:addplus_action_dubbo (>=0.0.1 <=1.0.0), com.alibaba.csp:sentinel-apache-dubbo-adapter (>=1.5.1 <=1.7.0) +28 more potentially affected by CVE-2021-30179 via org.apache.dubbo:dubbo (>=2.7.0 <=2.7.1)

org.apache.dubbo:dubbo MAVEN version =2.7.0, =0.0.1, =1.5.1, =2.0.1, =0.1.3, =2.4.0, =2.4.0, =2.4.0, =1.0.0, =1.0, =1.2.4, =2.7.0, =1.3.1, =1.3.1, =1.4.4 and more Source cves: CVE-2021-30179 Source advisory: OSV:GHSA-5MC7-M686-P6JG...

cc.akkaha:asura-core_2.12 (=0.3.0), cc.akkaha:asura-dubbo_2.12 (>=0.2.0 <=0.6.0) +285 more potentially affected by CVE-2021-30179 via com.alibaba:dubbo (>=2.5.10 <=2.6.8)

com.alibaba:dubbo MAVEN version =2.5.10, =0.2.0, =0.1.5, =0.1.5, =11.0.1-RELEASE, =11.0.1-RELEASE, =1.0, =1.4.0, =1.4.0, =1.4.0, =1.0.0, =1.0.1 and more Source cves: CVE-2021-30179 Source advisory: OSV:GHSA-5MC7-M686-P6JG...

cc.akkaha:asura-core_2.12 (=0.3.0), cc.akkaha:asura-dubbo_2.12 (>=0.2.0 <=0.6.0) +285 more potentially affected by CVE-2021-30181 via com.alibaba:dubbo (>=2.5.10 <=2.6.8)

com.alibaba:dubbo MAVEN version =2.5.10, =0.2.0, =0.1.5, =0.1.5, =11.0.1-RELEASE, =11.0.1-RELEASE, =1.0, =1.4.0, =1.4.0, =1.4.0, =1.0.0, =1.0.1 and more Source cves: CVE-2021-30181 Source advisory: OSV:GHSA-QMFC-6WWW-FJQW...

com.addplus9:addplus_action_dubbo (>=0.0.1 <=1.0.0), com.alibaba.csp:sentinel-apache-dubbo-adapter (>=1.5.1 <=1.7.0) +28 more potentially affected by CVE-2021-25640 via org.apache.dubbo:dubbo (>=2.7.0 <=2.7.1)

org.apache.dubbo:dubbo MAVEN version =2.7.0, =0.0.1, =1.5.1, =2.0.1, =0.1.3, =2.4.0, =2.4.0, =2.4.0, =1.0.0, =1.0, =1.2.4, =2.7.0, =1.3.1, =1.3.1, =1.4.4 and more Source cves: CVE-2021-25640 Source advisory: OSV:GHSA-GW4J-4229-Q4PX...

cc.akkaha:asura-core_2.12 (=0.3.0), cc.akkaha:asura-dubbo_2.12 (>=0.2.0 <=0.6.0) +285 more potentially affected by CVE-2021-25640 via com.alibaba:dubbo (>=2.5.10 <=2.6.8)

com.alibaba:dubbo MAVEN version =2.5.10, =0.2.0, =0.1.5, =0.1.5, =11.0.1-RELEASE, =11.0.1-RELEASE, =1.0, =1.4.0, =1.4.0, =1.4.0, =1.0.0, =1.0.1 and more Source cves: CVE-2021-25640 Source advisory: OSV:GHSA-GW4J-4229-Q4PX...

cc.akkaha:asura-core_2.12 (=0.3.0), cc.akkaha:asura-dubbo_2.12 (>=0.2.0 <=0.6.0) +285 more potentially affected by CVE-2021-25641 via com.alibaba:dubbo (>=2.5.10 <=2.6.8)

com.alibaba:dubbo MAVEN version =2.5.10, =0.2.0, =0.1.5, =0.1.5, =11.0.1-RELEASE, =11.0.1-RELEASE, =1.0, =1.4.0, =1.4.0, =1.4.0, =1.0.0, =1.0.1 and more Source cves: CVE-2021-25641 Source advisory: OSV:GHSA-V2RG-8CWR-75G8...

cc.jweb:jweb-adai (>=1.0.2 <=1.0.6), cc.jweb:jweb-boot (>=1.0.2 <=1.0.5) +49 more potentially affected by CVE-2021-37579 via org.apache.dubbo:dubbo (>=2.7.0 <=2.7.12)

org.apache.dubbo:dubbo MAVEN version =2.7.0, =1.0.2, =1.0.2, =1.2.1, =1.28.0, =0.0.1, =1.5.1, =2.0.1, =0.1.3, =2.4.0, =2.4.0, =2.4.0, =1.0.0, =1.0.0, =1.0, =1.1 and more Source cves: CVE-2021-37579 Source advisory: OSV:GHSA-Q897-9JXF-JG9R...

cn.fossc.polaris.framework:basic-framework-spring-boot-starter (>=3.0.9 <=3.0.33), cn.fossc.polaris.framework:polaris-framework-boot (>=3.0.1 <=3.0.33) +38 more potentially affected by CVE-2021-37579 via org.apache.dubbo:dubbo (>=3.0.0 <=3.0.15)

org.apache.dubbo:dubbo MAVEN version =3.0.0, =3.0.9, =3.0.1, =3.0.1, =3.0.1, =1.2.1, =1.2.2 - com.chinagoods.framework.thinkcloud:think-cloud-starter-business =3.1.7.RELEASE - com.chinagoods.framework.thinkcloud:think-cloud-starter-controller =3.1.7.RELEASE -...

cc.jweb:jweb-adai (>=1.0.2 <=1.0.6), cc.jweb:jweb-boot (>=1.0.2 <=1.0.5) +49 more potentially affected by CVE-2021-36163 via org.apache.dubbo:dubbo (>=2.7.0 <=2.7.12)

org.apache.dubbo:dubbo MAVEN version =2.7.0, =1.0.2, =1.0.2, =1.2.1, =1.28.0, =0.0.1, =1.5.1, =2.0.1, =0.1.3, =2.4.0, =2.4.0, =2.4.0, =1.0.0, =1.0.0, =1.0, =1.1 and more Source cves: CVE-2021-36163 Source advisory: OSV:GHSA-CPX9-4RWV-486V...

Remote Code Execution (RCE)

dubbo is vulnerable to remote code execution. The vulnerability exists because some functions in the classes stored in HasMap will be executed after a series of program calls via a crafted malicious request...