CVE-2023-23638

CWE-502Deserialization of Untrusted Data5 documents4 sources
Severity
9.8CRITICAL
EPSS
68.3%
top 1.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache DubboApache Dubbo
Timeline
PublishedMar 8
Latest updateApr 10

Description

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 1.6 | Impact: 3.4

Affected Packages3 packages

Mavenorg.apache.dubbo:dubbo3.0.03.0.13+2
NVDapache/dubbo2.7.02.7.21+2
CVEListV5apache_software_foundation/apache_dubboApache Dubbo 2.7.x2.7.21+2

🔴Vulnerability Details

4
OSV
squid vulnerabilities2024-04-10
OSV
Apache Dubbo vulnerable to Deserialization of Untrusted Data2023-03-08
CVEList
Apache Dubbo Deserialization Vulnerability Gadgets Bypass2023-03-08
GHSA
Apache Dubbo vulnerable to Deserialization of Untrusted Data2023-03-08
CVE-2023-23638 (CRITICAL CVSS 9.8) | A deserialization vulnerability exi | cvebase.io