GHSA-vp5x-3v8r-qprw

Source

https://github.com/advisories/GHSA-vp5x-3v8r-qprw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-vp5x-3v8r-qprw/GHSA-vp5x-3v8r-qprw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vp5x-3v8r-qprw

Aliases

CVE-2021-43297

Published

2022-01-12T22:51:04Z

Modified

2023-11-08T04:07:09.482377Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Deserialization of Untrusted Data in Dubbo

Details

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.

Database specific

{
    "nvd_published_at": "2022-01-10T16:15:00Z",
    "github_reviewed_at": "2022-01-11T18:30:09Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-502"
    ]
}

References

Affected packages

Maven / org.apache.dubbo:dubbo

Package

Name: org.apache.dubbo:dubbo; View open source insights on deps.dev
Purl: pkg:maven/org.apache.dubbo/dubbo

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.0

Fixed

2.6.12

Maven / org.apache.dubbo:dubbo

Package

Name: org.apache.dubbo:dubbo; View open source insights on deps.dev
Purl: pkg:maven/org.apache.dubbo/dubbo

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7.0

Fixed

2.7.15

Affected versions

2.*

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.4.1

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.10

2.7.11

2.7.12

2.7.13

2.7.14

Maven / org.apache.dubbo:dubbo

Package

Name: org.apache.dubbo:dubbo; View open source insights on deps.dev
Purl: pkg:maven/org.apache.dubbo/dubbo

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.5

Affected versions

3.*

3.0.0

3.0.0.preview

3.0.1

3.0.2

3.0.2.1

3.0.3

3.0.4