CVE-2021-36163

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
9.8CRITICAL
EPSS
1.2%
top 21.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache DubboApache Dubbo
Timeline
PublishedSep 7
Latest updateSep 8

Description

In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

Mavenorg.apache.dubbo:dubbo2.7.02.7.13+1
NVDapache/dubbo2.7.02.7.12+1
CVEListV5apache_software_foundation/apache_dubboApache Dubbo 2.7.x2.7.12+1

🔴Vulnerability Details

3
OSV
Hessian protocol configuration vulnerability in Apache Dubbo2021-09-08
GHSA
Hessian protocol configuration vulnerability in Apache Dubbo2021-09-08
CVEList
Unsafe deserialization in providers using the Hessian protocol2021-09-07
CVE-2021-36163 (CRITICAL CVSS 9.8) | In Apache Dubbo | cvebase.io