CVE-2021-43297

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
9.8CRITICAL
EPSS
46.3%
top 2.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache DubboApache Dubbo
Timeline
PublishedJan 10
Latest updateJan 12

Description

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDapache/dubbo2.6.02.6.12+2
Mavenorg.apache.dubbo:dubbo2.6.02.6.12+2
CVEListV5apache_software_foundation/apache_dubboApache Dubbo 2.6.x2.6.12+2

🔴Vulnerability Details

3
OSV
Deserialization of Untrusted Data in Dubbo2022-01-12
GHSA
Deserialization of Untrusted Data in Dubbo2022-01-12
CVEList
Dubbo Hessian cause RCE when parse error2022-01-10
CVE-2021-43297 (CRITICAL CVSS 9.8) | A deserialization vulnerability exi | cvebase.io