Apache Software Foundation Apache Dubbo vulnerabilities

CVE-2023-46279 [CRITICAL] CWE-502 CVE-2023-46279: Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5. Users are recommended to upgrade to the latest version, which fixes the issue.

CVE-2023-29234 [CRITICAL] CWE-502 CVE-2023-29234: A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Du A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4. Users are recommended to upgrade to the latest version, which fixes the issue.

CVE-2023-23638 [MEDIUM] CWE-502 CVE-2023-23638: A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious cod A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.

CVE-2022-39198 [CRITICAL] CWE-502 CVE-2022-39198: A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.

CVE-2022-24969 [MEDIUM] CWE-918 bypass of CVE-2021-25640 bypass of CVE-2021-25640 bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.

CVE-2021-43297 [CRITICAL] CWE-502 CVE-2021-43297: A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command

CVE-2021-37579 [CRITICAL] CWE-502 CVE-2021-37579: The Dubbo Provider will check the incoming request and the corresponding serialization type of this The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed t

CVE-2021-36161 [CRITICAL] CWE-134 CVE-2021-36161: Some component in Dubbo will try to print the formated string of the input arguments, which will pos Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout, cache and some other places. Fixed in Apache Dubbo 2.7.13

CVE-2021-36163 [CRITICAL] CWE-502 CVE-2021-36163: In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented o In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blo

CVE-2021-36162 [HIGH] CVE-2021-36162: Apache Dubbo supports various rules to support configuration override or traffic routing (called rou Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers will use SnakeYAML library

CVE-2021-30180 [CRITICAL] CWE-444 CVE-2021-30180: Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.

CVE-2021-30179 [CRITICAL] CWE-502 CVE-2021-30179: Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. The signature for the $invo

CVE-2021-25641 [CRITICAL] CWE-502 CVE-2021-25641: Each Apache Dubbo server will set a serialization id to tell the clients which serialization protoco Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak d

CVE-2021-30181 [CRITICAL] CVE-2021-30181: Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable e

CVE-2021-25640 [MEDIUM] CWE-918 CVE-2021-25640: In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of wh In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.

CVE-2020-11995 [CRITICAL] CWE-502 CVE-2020-11995: A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of progra