Lucene search

Veracode Vulnerability DatabaseVERACODE:39608

HistoryMar 09, 2023 - 12:49 p.m.

Remote Code Execution (RCE)

2023-03-0912:49:43

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

remote code execution

apache dubbo

deserialization vulnerability

class validation

malicious code execution

0.015 Low

EPSS

Percentile

86.9%

JSON

org.apache.dubbo:dubbo-common is vulnerable to Remote Code Execution (RCE). The vulnerability is due to a lack of class validation when deserializing untrusted user input which allows an attacker to upload and execute malicious code.

CPENameOperatorVersion
dubbo-commonle3.0.13
dubbo-commonle3.1.5
dubbo-commonle2.7.21
dubbo-commonle3.0.13
dubbo-commonle3.1.5
dubbo-commonle2.7.21

Name	Operator	Version
dubbo-common	le	3.0.13
dubbo-common	le	3.1.5
dubbo-common	le	2.7.21
dubbo-common	le	3.0.13
dubbo-common	le	3.1.5
dubbo-common	le	2.7.21

References

github.com/advisories/GHSA-933g-v89r-x8pf

github.com/apache/dubbo/commit/4f664f0a3d338673f4b554230345b89c580bccbb

github.com/apache/dubbo/commit/c71a05a58c9db46638417cc6ecee32be5508d92c

github.com/apache/dubbo/commit/ce3b0e285a463b566a9d685049201bfaf526c8ac

github.com/apache/dubbo/pull/11419

github.com/apache/dubbo/pull/11430

github.com/apache/dubbo/pull/11431

lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb

0.015 Low

EPSS

Percentile

86.9%

JSON

Related for VERACODE:39608