Apache Dubbo Deserialization Vulnerability Gadgets Bypass
CVE-2023-23638

5MEDIUM

Key Information:

Vendor

Apache
Status
Apache Dubbo
Vendor
CVE Published:
8 March 2023

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 68%

What is CVE-2023-23638?

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution.

This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Dubbo Apache Dubbo 2.7.x <= 2.7.21

Apache Dubbo Apache Dubbo 3.0.x <= 3.0.13

Apache Dubbo Apache Dubbo 3.1.x <= 3.1.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Apache-Dubbo-CVE-2023-23638-exp
Created by YYHYlh

Dubbo-RCE
Created by X1r0z

References

https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63h...
vendor-advisory

EPSS Score

68% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

yemoli、R1ckyZ、Koishi、cxc
JSON
.