Bypass serialize checks in Apache Dubbo
CVE-2023-29234

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Dubbo
Vendor: CVE Published:; 15 December 2023

Summary

A deserialization vulnerability exists in Apache Dubbo that can be exploited when decoding a specially crafted malicious package. This vulnerability impacts Apache Dubbo versions from 3.1.0 to 3.1.10 and from 3.2.0 to 3.2.4, potentially allowing an attacker to execute arbitrary code. Users are strongly advised to upgrade to the latest version to mitigate the associated risks.

Affected Version(s)

Apache Dubbo 3.1.0 <= 3.1.10

Apache Dubbo 3.2.0 <= 3.2.4

References

https://lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94r...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/12/15/2

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 15, 2023
Vulnerability Reserved
Apr 4, 2023

Credit

Bofei Chen, Lei Zhang, Guangliang Yang, Keke Lian and Xinyou Huang