1. Home
  2. Vulnerabilities
  3. CVE-2021-43297

CVE-2021-43297

CVSS v3.1 9.8 (Critical)
98% Progress
CVSS v2.0 7.5 (High)
75% Progress
EPSS 1.19 % (85th)
1.19% Progress
Affected Products 1
Advisories 1
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.

Weaknesses
CWE-502
Deserialization of Untrusted Data
CVE Status
PUBLISHED
CNA
Apache Software Foundation
Published Date
2022-01-10 16:15:09
(2 years ago)
Updated Date
2022-01-18 20:10:31
(2 years ago)

Affected Products

Apache

Configuration #1

    CPE23 From Up To
  Apache Dubbo from 2.6.0 version and prior 2.6.12 version cpe:2.3:a:apache:dubbo >= 2.6.0 < 2.6.12
  Apache Dubbo from 2.7.0 version and prior 2.7.15 version cpe:2.3:a:apache:dubbo >= 2.7.0 < 2.7.15
  Apache Dubbo from 3.0.0 version and prior 3.0.5 version cpe:2.3:a:apache:dubbo >= 3.0.0 < 3.0.5