org.apache.dubbo:dubbo-common is vulnerable to Remote Code Execution (RCE). The vulnerability is due to a lack of class validation when deserializing untrusted user input which allows an attacker to upload and execute malicious code.
CPE | Name | Operator | Version |
---|---|---|---|
dubbo-common | le | 3.0.13 | |
dubbo-common | le | 3.1.5 | |
dubbo-common | le | 2.7.21 | |
dubbo-common | le | 3.0.13 | |
dubbo-common | le | 3.1.5 | |
dubbo-common | le | 2.7.21 |
github.com/advisories/GHSA-933g-v89r-x8pf
github.com/apache/dubbo/commit/4f664f0a3d338673f4b554230345b89c580bccbb
github.com/apache/dubbo/commit/c71a05a58c9db46638417cc6ecee32be5508d92c
github.com/apache/dubbo/commit/ce3b0e285a463b566a9d685049201bfaf526c8ac
github.com/apache/dubbo/pull/11419
github.com/apache/dubbo/pull/11430
github.com/apache/dubbo/pull/11431
lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb