CVE-2021-32824

CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

9.8CRITICAL

EPSS

5.9%

top 9.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Dubbo

Timeline

PublishedJan 3

Description

Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked us…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5apache/dubbo2.6.10 — 2.6.10+2

▶NVDapache/dubbo2.7.0 — 2.7.10+1

▶Mavenorg.apache.dubbo:dubbo-parent2.7.0 — 2.7.10+1

🔴Vulnerability Details

CVEList

Regular expression Denial of Service in MooTools↗2023-01-03

▶

OSV

Apache Dubbo vulnerable to remote code execution via Telnet Handler↗2023-01-03

▶

GHSA

Apache Dubbo vulnerable to remote code execution via Telnet Handler↗2023-01-03

▶