GHSA-q897-9jxf-jg9r

Source

https://github.com/advisories/GHSA-q897-9jxf-jg9r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-q897-9jxf-jg9r/GHSA-q897-9jxf-jg9r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q897-9jxf-jg9r

Aliases

CVE-2021-37579

Published

2021-09-10T17:56:23Z

Modified

2023-11-08T04:06:18.760938Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Security check skip in Apache Dubbo

Details

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found.

Database specific

{
    "nvd_published_at": "2021-09-09T08:15:00Z",
    "github_reviewed_at": "2021-09-10T16:49:29Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-502"
    ]
}

References

Affected packages

Maven / org.apache.dubbo:dubbo

Package

Name: org.apache.dubbo:dubbo; View open source insights on deps.dev
Purl: pkg:maven/org.apache.dubbo/dubbo

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.13

Affected versions

2.*

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.4.1

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.10

2.7.11

2.7.12

Maven / org.apache.dubbo:dubbo

Package

Name: org.apache.dubbo:dubbo; View open source insights on deps.dev
Purl: pkg:maven/org.apache.dubbo/dubbo

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.2

Affected versions

3.*

3.0.0

3.0.0.preview

3.0.1