[MAVEN:GHSA-VP5X-3V8R-QPRW] Deserialization of Untrusted Data in Dubbo

Severity Critical

Affected Packages 3

Fixed Packages 3

CVEs 1

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.

Package	Affected Version
pkg:maven/org.apache.dubbo/dubbo	>= 3.0.0, < 3.0.5
pkg:maven/org.apache.dubbo/dubbo	>= 2.7.0, < 2.7.15
pkg:maven/org.apache.dubbo/dubbo	>= 2.6.0, < 2.6.12

Package	Fixed Version
pkg:maven/org.apache.dubbo/dubbo	= 3.0.5
pkg:maven/org.apache.dubbo/dubbo	= 2.7.15
pkg:maven/org.apache.dubbo/dubbo	= 2.6.12

ID: MAVEN:GHSA-VP5X-3V8R-QPRW
Severity: critical
URL: https://github.com/advisories/GHSA-vp5x-3v8r-qprw
Published: 2022-01-12T22:51:04
(2 years ago)
Modified: 2023-02-03T05:03:58
(19 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2021-43297
			https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww
			https://github.com/advisories/GHSA-vp5x-3v8r-qprw

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.apache.dubbo/dubbo	org.apache.dubbo	dubbo	>= 3.0.0 < 3.0.5
Fixed	pkg:maven/org.apache.dubbo/dubbo	org.apache.dubbo	dubbo	= 3.0.5
Affected	pkg:maven/org.apache.dubbo/dubbo	org.apache.dubbo	dubbo	>= 2.7.0 < 2.7.15
Fixed	pkg:maven/org.apache.dubbo/dubbo	org.apache.dubbo	dubbo	= 2.7.15
Affected	pkg:maven/org.apache.dubbo/dubbo	org.apache.dubbo	dubbo	>= 2.6.0 < 2.6.12
Fixed	pkg:maven/org.apache.dubbo/dubbo	org.apache.dubbo	dubbo	= 2.6.12

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date