CVE-2023-23638

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-23638

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-23638.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-23638

Aliases

GHSA-933g-v89r-x8pf

Published

2023-03-08T11:15:10.390Z

Modified

2026-04-10T04:55:38.657923Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution.

This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.

References

https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb

Affected packages

Git / github.com/apache/dubbo

Affected ranges

Type

GIT

Repo

https://github.com/apache/dubbo

Events

Introduced

614bcebc01336ee5047a98f96b28915680c0399c

Last affected

4e80ee57eedc14375565cff4cfcdff308f7eb2ff

Introduced

236a45694e9a1925e0a57f42686996f6fbf4c694

Last affected

c7974d0ae7c156a6a7cc2c01b14dc95beca1abb1

Introduced

db4007e44527451ceda23aa109b4123949b4210e

Last affected

45e59887bb9a7362097bf8f9c6b64a390d9f2417

Database specific

{
    "versions": [
        {
            "introduced": "2.7.0"
        },
        {
            "last_affected": "2.7.21"
        },
        {
            "introduced": "3.0.0"
        },
        {
            "last_affected": "3.0.13"
        },
        {
            "introduced": "3.1.0"
        },
        {
            "last_affected": "3.1.5"
        }
    ]
}

Affected versions

dubbo-3.*

dubbo-3.1.0

dubbo-3.1.5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-23638.json"