CVE-2021-36163

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-36163

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-36163.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-36163

Aliases

GHSA-cpx9-4rwv-486v

Published

2021-09-07T10:15:07Z

Modified

2024-09-03T03:53:20.399279Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1

References

https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E

Affected packages

Git / github.com/apache/dubbo

Affected ranges

Type: GIT
Repo: https://github.com/apache/dubbo
Events: Introduced

236a45694e9a1925e0a57f42686996f6fbf4c694

Last affected

aa3fe7b74dfe282ab7c3b83b2fc5559d06c8f9b4

Introduced

614bcebc01336ee5047a98f96b28915680c0399c

Last affected

e8eeddbf42952e7dd4ba4428548f91006900ea5c

Affected versions

2.*

2.7.6

dubbo-2.*

dubbo-2.7.0

dubbo-2.7.1

dubbo-2.7.10

dubbo-2.7.11

dubbo-2.7.12

dubbo-2.7.4

dubbo-2.7.6

dubbo-2.7.7

dubbo-2.7.9

dubbo-3.*

dubbo-3.0.0

dubbo-3.0.1