19 matches found
CVE-2023-23638
Apache Dubbo CVE-2023-23638 describes a deserialization flaw during generic-invoke that enables remote code execution. Affected: Dubbo 2.7.x (≤2.7.21), 3.0.x (≤3.0.13), 3.1.x (≤3.1.5). Root cause: insecure deserialization in the generic invoke path. Impact: potential RCE with high impact to confi...
CVE-2021-25641
CVE-2021-25641 affects Apache Dubbo servers prior to 2.7.8 and 2.6.9. The vulnerability arises when a provider’s byte preamble flags are tampered with, allowing an attacker to override the server’s chosen serialization protocol and trigger a weak deserializer (e.g., Kryo or FST) in scope. This en...
CVE-2021-30179
Apache Dubbo CVE-2021-30179 affects versions prior to 2.6.9 and 2.7.9. The vulnerability arises because GenericFilter allows generic calls to arbitrary methods on provider interfaces, using Java Reflection. The invocation of $invoke/$invokeAsync uses a first argument method name, parameter types,...
CVE-2021-43297
CVE-2021-43297 describes a deserialization vulnerability in dubbo Hessian-Lite 3.2.11 and earlier that could enable remote code execution when Hessian mishandles deserialization. Affected are Apache Dubbo versions: 2.6.x before 2.6.12, 2.7.x before 2.7.15, and 3.0.x before 3.0.5. The root cause i...
CVE-2019-17564
CVE-2019-17564 is an unsafe deserialization vulnerability in Apache Dubbo when HTTP remoting is enabled. An attacker can send a POST with a Java object to fully compromise a Dubbo Provider instance. Affected versions include 2.7.0–2.7.4, 2.6.0–2.6.7, and all 2.5.x. The exploitation leads to remot...
CVE-2020-1948
CVE-2020-1948 affects Apache Dubbo before 2.7.8 (and related versions) where deserialization of untrusted data in RPC requests can trigger remote code execution. The vulnerability targets the Dubbo Provider component and allows an attacker to send RPC calls with unrecognized service/method names ...
CVE-2021-36163
Summary: CVE-2021-36163 affects Apache Dubbo when using the Hessian protocol. The HessianSkeleton can be created without configuring the serialization factory, bypassing the dubbo type-list checks. As a result, the generic service is exposed, so an attacker may not need a valid service/method nam...
CVE-2021-32824
Apache Dubbo (Java RPC framework) versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via the Telnet handler. An unprotected Telnet endpoint allows arbitrary bean inspection and shutdown, while the invoke handler processes arguments with FastJson then realises the...
CVE-2021-30180
CVE-2021-30180 — Apache Dubbo : Affects Dubbo versions prior to 2.7.9. The vulnerability arises when parsing YAML tag routing rules, which may allow a client to trigger calling arbitrary constructors on the server. This is the underlying root cause described in the initial details. Potential impa...
CVE-2021-30181
Apache Dubbo vulnerability CVE-2021-30181 involves Script routing where ScriptEngine parsing routing rules may allow executing arbitrary code. Affected versions include Dubbo prior to 2.6.9 and 2.7.9/2.7.10 (as described in multiple sources). The issue stems from the default ScriptEngine configur...
CVE-2021-25640
CVE-2021-25640 affects Apache Dubbo prior to versions 2.6.12 and 2.7.15, where the parseURL method can bypass white-host checks, enabling open redirect or SSRF. Impacted components and exact root cause are described across multiple sources; exploitation status is not detailed here. Remediation is...
CVE-2021-36162
Apache Dubbo (routing/configuration rules loaded from config centers like Zookeeper or Nacos) is affected by CVE-2021-36162 through unsafe YAML deserialization using SnakeYAML, which can enable arbitrary constructor invocation and remote code execution when consumers retrieve tampered rules. The ...
CVE-2021-37579
The CVE-2021-37579 entry concerns Apache Dubbo’s Dubbo Provider deserialization flow. The issue allows an attacker to bypass the configured security check and reach a deserialization operation using native Java serialization when an incoming request and its serialization type aren’t properly vali...
CVE-2022-24969
Apache Dubbo prior to versions 2.6.12 and 2.7.15 has a vulnerability where the parseURL method bypasses the white host check. The issue can enable open redirection or server-side request forgery (SSRF) as described in CVE-2022-24969 and related advisories. Affected component: parseURL handling in...
CVE-2022-39198
The CVE-2022-39198 entry describes a deserialization vulnerability in dubbo hessian-lite prior to 3.2.12, which could allow arbitrary code execution. Affected software/components include dubbo hessian-lite 3.2.12 and earlier, impacting Apache Dubbo 2.7.x up to 2.7.17; 3.0.x up to 3.0.11; and 3.1....
CVE-2021-36161
CVE-2021-36161 affects Apache Dubbo where components may print formatted strings of input arguments, potentially allowing RCE via a malicious bean with a crafted toString method. The issue is described across multiple sources and is resolved in Dubbo 2.7.13 by fixing the toString call in timeout,...
CVE-2020-11995
This CVE describes a deserialization vulnerability in Apache Dubbo up to version 2.7.5 (and earlier) where Hessian2 deserializing a HashMap can trigger code execution via certain class methods (notably EqualsBean in rome-1.7.0.jar). The issue arises from the default Hessian2 deserialization path ...
CVE-2023-29234
CVE-2023-29234 describes a deserialization vulnerability in Apache Dubbo. Affected versions are 3.1.0–3.1.10 and 3.2.0–3.2.4, where decoding a malicious package can lead to arbitrary code execution. Root cause: unsafe deserialization in the Dubbo framework. Impact: high with potential remote code...
CVE-2023-46279
CVE-2023-46279 describes a Deserialization of Untrusted Data vulnerability in Apache Dubbo , affecting only version 3.1.5 . Multiple sources (NVD entry and Red Hat/CNVDOSV mirrors) confirm the issue stems from unsafe deserialization and leads to a high-impact compromise if exploited. The NVD metr...