CVE-2021-43297

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-43297
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43297.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-43297
Aliases
Published
2022-01-10T16:15:09Z
Modified
2024-09-03T03:57:20.087043Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.

References

Affected packages

Git / github.com/apache/dubbo

Affected ranges

Type
GIT
Repo
https://github.com/apache/dubbo
Events
Introduced
22bb9cbcf75cab6445b8706574a986517855b535
Fixed
0aee8101665262c64122e5fa2c683ef834faff10

Affected versions

dubbo-2.*

dubbo-2.5.10
dubbo-2.5.9
dubbo-2.6.0
dubbo-2.6.1
dubbo-2.6.10
dubbo-2.6.11
dubbo-2.6.2
dubbo-2.6.3
dubbo-2.6.4
dubbo-2.6.5
dubbo-2.6.6
dubbo-2.6.8
dubbo-2.6.9