CVE-2021-37579

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
9.8CRITICAL
EPSS
2.9%
top 13.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache DubboApache Software Foundation Apache Dubbo
Timeline
PublishedSep 9
Latest updateSep 10

Description

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5apache_software_foundation/apache_dubboApache Dubbo 2.7.x2.7.12+1
NVDapache/dubbo2.7.02.7.13+1
Mavenorg.apache.dubbo:dubbo3.0.03.0.2+1

🔴Vulnerability Details

3
OSV
Security check skip in Apache Dubbo2021-09-10
GHSA
Security check skip in Apache Dubbo2021-09-10
CVEList
Bypass deserialization checks in Apache Dubbo2021-09-09
CVE-2021-37579 (CRITICAL CVSS 9.8) | The Dubbo Provider will check the i | cvebase.io