CVE-2021-25641Deserialization of Untrusted Data in Software Foundation Apache Dubbo

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
9.8CRITICALNVD
EPSS
74.6%
top 1.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache DubboApache Dubbo
Timeline
PublishedJun 1
Latest updateMar 18

Description

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDapache/dubbo2.5.02.6.9+1
CVEListV5apache_software_foundation/apache_dubboApache Dubbo 2.7.x2.7.8+1

🔴Vulnerability Details

3
OSV
Deserializer tampering in Apache Dubbo2022-03-18
GHSA
Deserializer tampering in Apache Dubbo2022-03-18
CVEList
Dubbo Zookeeper does not check serialization id2021-05-29
CVE-2021-25641 — Deserialization of Untrusted Data | cvebase