CVE-2023-41331
- Source
- https://cve.org/CVERecord?id=CVE-2023-41331
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41331.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-41331
- Aliases
-
- GHSA-chv2-7hxj-2j86
- Published
- 2023-09-12T19:57:57.437Z
- Modified
- 2026-04-12T02:37:10.172360Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- SOFARPC Remote Command Execution (RCE) Vulnerability
- Details
-
SOFARPC is a Java RPC framework. Versions prior to 5.11.0 are vulnerable to remote command execution. Through a carefully crafted payload, an attacker can achieve JNDI injection or system command execution. In the default configuration of the SOFARPC framework, a blacklist is used to filter out dangerous classes encountered during the deserialization process. However, the blacklist is not comprehensive, and an actor can exploit certain native JDK classes and common third-party packages to construct gadget chains capable of achieving JNDI injection or system command execution attacks. Version 5.11.0 contains a fix for this issue. As a workaround, users can add
-Drpc_serialize_blacklist_override=javax.sound.sampled.AudioFileFormatto the blacklist. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-917" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/41xxx/CVE-2023-41331.json" }- References
Affected packages
Git / github.com/sofastack/sofa-rpc
Affected ranges
- Type
- GIT
- Repo
- https://github.com/sofastack/sofa-rpc
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
5.*
5.10.1
v5.*
v5.10.0
v5.3.0
v5.3.1
v5.4.0
v5.4.1
v5.4.2
v5.4.3
v5.5.0
v5.5.1
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.6.4
v5.6.5
v5.7.0
v5.7.1
v5.7.10
v5.7.2
v5.7.3
v5.7.4
v5.7.5
v5.7.6
v5.7.7
v5.7.8
v5.7.9
v5.8.0
v5.8.1
v5.8.2
v5.8.3
v5.8.4
v5.8.5
v5.8.6
v5.8.7
v5.9.0
v5.9.1
v5.9.2
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41331.json"
vanir_signatures_modified
"2026-04-12T02:37:10Z"
vanir_signatures
[
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/sofastack/sofa-rpc/commit/7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6",
"digest": {
"function_hash": "65323720925649272645689899088281467914",
"length": 159.0
},
"id": "CVE-2023-41331-061b4bec",
"deprecated": false,
"target": {
"file": "bootstrap/bootstrap-dubbo/src/test/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubooServerTest.java",
"function": "afterMethod"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/sofastack/sofa-rpc/commit/7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6",
"digest": {
"threshold": 0.9,
"line_hashes": [
"274666269072353323501301198827540860402",
"31849992630028600218895280791813765147",
"273701867241329939500059345599286590253",
"106393800605636230726353444046333012327",
"233576813841208096047826476635511724909",
"43444764784704716511033109453694929369",
"253977774951634345784435894329989366252",
"1039228916496195286734460597872870394",
"101030947363881318059113561799533326604",
"91847956778800538555869613425935823968",
"330927625043541181182347642705974877324",
"210533719682623782512510332320011197299",
"181141394548576517134905478677656584460",
"152496202106071785009493812857212368822",
"319909957987538417753332342525302440360",
"128901973565161363355287959492166895700",
"124990499140798392717963339360449883290",
"167285967636412423886176970190038908338",
"51817480702870679626205869767057899485"
]
},
"id": "CVE-2023-41331-1c1e5be5",
"deprecated": false,
"target": {
"file": "bootstrap/bootstrap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboConvertor.java"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/sofastack/sofa-rpc/commit/7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6",
"digest": {
"threshold": 0.9,
"line_hashes": [
"202320009162823278732928577186204360132",
"258351882213913654017073701012699064136"
]
},
"id": "CVE-2023-41331-352bee37",
"deprecated": false,
"target": {
"file": "core/api/src/main/java/com/alipay/sofa/rpc/common/Version.java"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/sofastack/sofa-rpc/commit/7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6",
"digest": {
"threshold": 0.9,
"line_hashes": [
"123357082633904146354344472751197521176",
"304767533416554215375434538005027286492",
"290348995201456274072490484347505228357"
]
},
"id": "CVE-2023-41331-429eae99",
"deprecated": false,
"target": {
"file": "log-common-tools/src/main/java/com/alipay/sofa/rpc/log/factory/RpcLoggerFactory.java"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/sofastack/sofa-rpc/commit/7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6",
"digest": {
"threshold": 0.9,
"line_hashes": [
"77540541479743300845389163258672799618",
"93001250209579316181037648657903788169",
"332910554212443566197308658935043517432",
"316244733755506202580879635530428337868",
"242067919466743025134103626137784425276",
"154526226902294589166697329490029572746",
"11875637914003318005258017007993624584",
"281759565663782669995510133204713732752"
]
},
"id": "CVE-2023-41331-48ae11d1",
"deprecated": false,
"target": {
"file": "test/test-integration-3rd/src/test/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboServerTest.java"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/sofastack/sofa-rpc/commit/7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6",
"digest": {
"function_hash": "185223824418215501353066158046554816328",
"length": 102.0
},
"id": "CVE-2023-41331-4e06f329",
"deprecated": false,
"target": {
"file": "bootstrap/bootstrap-dubbo/src/test/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubooServerTest.java",
"function": "before"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/sofastack/sofa-rpc/commit/7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6",
"digest": {
"function_hash": "66983429027680492491436561592934622151",
"length": 72.0
},
"id": "CVE-2023-41331-6e2508f1",
"deprecated": false,
"target": {
"file": "bootstrap/bootstrap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboSingleton.java",
"function": "destroyAll"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/sofastack/sofa-rpc/commit/7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6",
"digest": {
"threshold": 0.9,
"line_hashes": [
"104196318943130857063275546115672731745",
"142019854855333363384403515353863516896",
"190894740796048364482187736864340750946"
]
},
"id": "CVE-2023-41331-8d912667",
"deprecated": false,
"target": {
"file": "bootstrap/bootstrap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboProviderBootstrap.java"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/sofastack/sofa-rpc/commit/7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6",
"digest": {
"function_hash": "65424822399489842443413060793364953347",
"length": 60.0
},
"id": "CVE-2023-41331-8dbd69cd",
"deprecated": false,
"target": {
"file": "bootstrap/bootstrap-dubbo/src/test/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubooServerTest.java",
"function": "adBeforeClass"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/sofastack/sofa-rpc/commit/7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6",
"digest": {
"function_hash": "112671452199841090866424534992177622473",
"length": 634.0
},
"id": "CVE-2023-41331-b78044a2",
"deprecated": false,
"target": {
"file": "bootstrap/bootstrap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboConvertor.java",
"function": "copyRegistries"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/sofastack/sofa-rpc/commit/7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6",
"digest": {
"threshold": 0.9,
"line_hashes": [
"50664070914068712711707282358606237218",
"317701499333901133565026797412447176622",
"87568569864577581269349079354841204729",
"81931351542994387888188841954397959484",
"77417472795749581384394844786229737051",
"50961005048494581944091721893339178622",
"281525223652763812689779916880042398032",
"65252381011977712713540209139342569718",
"227989185197444053803635725105254291766",
"173834489569361718316400203552806931909",
"232839862307224473357393856818112447897",
"229880610124140139063529910584297263469",
"254464938515910265095514408903900744806"
]
},
"id": "CVE-2023-41331-cddc204f",
"deprecated": false,
"target": {
"file": "bootstrap/bootstrap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboSingleton.java"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/sofastack/sofa-rpc/commit/7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6",
"digest": {
"threshold": 0.9,
"line_hashes": [
"201706033083616706488268712265596284471",
"143413886280792880267469195247022550436",
"333221112915176090473485065939128234324",
"33729046971162569729709951728955430398",
"751735965430507038364620493905290795",
"289676933787373863622244719463875958947",
"240399593522210388445539164781810265202",
"242429469482545486441589586518910056308",
"7536969881667969629921145432419722352",
"162354120393248078466446264267362240332",
"37140193973137012859490258341848117341",
"333824618586766288234149116419526238351",
"298295800141437903697139485435725382377",
"274047543569890958117839530425433554175",
"161892988037980525871365668017529273908",
"168789267356607418733025748345118325582",
"207270870445157748474314465977921186937",
"306024846293340851440767110349125998753",
"201687450135846546735220637022250839401",
"276621894520447260342722518398478734365",
"204113780255765986978855866426025796079",
"98301160553111947959174826098304418626",
"86180190215498506822537262062633696523",
"28474261171833174745616453610765470033",
"267192124936686702004715805974477859305",
"306152444836825075687327370030667161811",
"310359766975890070974293945868080122671",
"162724142611302153250330501916492486201",
"193319503091599499015029060404252876161"
]
},
"id": "CVE-2023-41331-d028dc75",
"deprecated": false,
"target": {
"file": "bootstrap/bootstrap-dubbo/src/test/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubooServerTest.java"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/sofastack/sofa-rpc/commit/7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6",
"digest": {
"function_hash": "286052767391532185992158132025843074251",
"length": 785.0
},
"id": "CVE-2023-41331-ed40ff45",
"deprecated": false,
"target": {
"file": "bootstrap/bootstrap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboConsumerBootstrap.java",
"function": "copyMethods"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/sofastack/sofa-rpc/commit/7177205e4bd54fa0e45ad1e2101d0bdfd0b41ca6",
"digest": {
"threshold": 0.9,
"line_hashes": [
"90522452472401945089924890980500624100",
"322137786609780814910768831576773129005",
"79974174536484891636949670638321064373",
"36639282672156926778693264394892644224",
"154137846630727946825801187070380543098",
"216222056410779986406954502208019256972",
"177006872568735031142455096804435341513",
"237471601974070465850107263438023444490",
"206217881863068211279967663343838813703",
"56274111216270067910158290372655377954",
"176147119926452170013719061397940521308",
"299232238987021829483950026100127071134",
"208383310548313393132548006052011381950",
"8628204956782924633156716409236911147"
]
},
"id": "CVE-2023-41331-fd8501ea",
"deprecated": false,
"target": {
"file": "bootstrap/bootstrap-dubbo/src/main/java/com/alipay/sofa/rpc/bootstrap/dubbo/DubboConsumerBootstrap.java"
}
}
]