Dubbo@2.5.0 Security Vulnerabilities and Issues — Dubbo@2.5.0 CVE List

Lucene search

ApacheDubbo2.5.0

7 matches found

CVE•added 2021/06/01 2:15 p.m.•109 views

CVE-2021-25641

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the...

9.8CVSS9.5AI score0.74804EPSS

CVE•added 2021/06/01 2:15 p.m.•100 views

CVE-2021-30179

Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API t...

9.8CVSS9.5AI score0.03582EPSS

CVE•added 2020/04/01 10:15 p.m.•86 views

CVE-2019-17564

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6....

9.8CVSS9.2AI score0.93465EPSS

CVE•added 2020/07/14 2:15 p.m.•84 views

CVE-2020-1948

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details...

9.8CVSS9.3AI score0.67997EPSS

CVE•added 2021/06/01 2:15 p.m.•69 views

CVE-2021-30181

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run th...

9.8CVSS9.5AI score0.03311EPSS

CVE•added 2021/06/01 2:15 p.m.•67 views

CVE-2021-25640

In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.

6.1CVSS6.1AI score0.00219EPSS

CVE•added 2021/01/11 10:15 a.m.•59 views

CVE-2020-11995

A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored i...

9.8CVSS9.7AI score0.01417EPSS