Apache Dubbo Deserialization Vulnerability Gadgets Bypass
CVE-2023-23638

5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Dubbo
Vendor: CVE Published:; 8 March 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution.

This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.

Affected Version(s)

Apache Dubbo Apache Dubbo 2.7.x <= 2.7.21

Apache Dubbo Apache Dubbo 3.0.x <= 3.0.13

Apache Dubbo Apache Dubbo 3.1.x <= 3.1.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Apache-Dubbo-CVE-2023-23638-exp
Created by YYHYlh

Dubbo-RCE
Created by X1r0z

References

https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63h...

vendor-advisory

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jun 8, 2023
👾
Exploit known to exist
Jun 8, 2023
Vulnerability published
Mar 8, 2023
Vulnerability Reserved
Jan 17, 2023

Credit

yemoli、R1ckyZ、Koishi、cxc