Latest apache dubbo Vulnerabilities

CVE-2023-46279
Apache Dubbo: Bypass deny serialize list check in Apache Dubbo
Apache Dubbo=3.1.5
maven/org.apache.dubbo:dubbo=3.1.5
CVE-2023-29234
Bypass serialize checks in Apache Dubbo
maven/org.apache.dubbo:dubbo>=3.2.0<3.2.5
maven/org.apache.dubbo:dubbo>=3.1.0<3.1.11
Apache Dubbo>=3.1.0<=3.1.10
Apache Dubbo>=3.2.0<=3.2.4
CVE-2023-23638
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3...
Apache Dubbo>=2.7.0<=2.7.21
Apache Dubbo>=3.0.0<=3.0.13
Apache Dubbo>=3.1.0<=3.1.5
CVE-2021-32824
Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The...
Apache Dubbo<2.6.10
Apache Dubbo>=2.7.0<2.7.10
CVE-2022-39198
A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and pr...
Apache Dubbo>=2.7.0<=2.7.17
Apache Dubbo>=3.0.0<=3.0.11
Apache Dubbo=3.1.0
CVE-2022-24969
bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.
Apache Dubbo<2.6.12
Apache Dubbo>=2.7.0<2.7.15
CVE-2021-37579
The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use...
Apache Dubbo>=2.7.0<2.7.13
Apache Dubbo>=3.0.0<3.0.2
CVE-2021-36161
Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest versio...
Apache Dubbo>=2.7.0<2.7.13
CVE-2021-36162
Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and...
Apache Dubbo>=2.7.0<=2.7.12
Apache Dubbo>=3.0.0<=3.0.1
CVE-2021-36163
In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkelet...
Apache Dubbo>=2.7.0<=2.7.12
Apache Dubbo>=3.0.0<=3.0.1
CVE-2021-25640
In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.
Apache Dubbo>=2.5.0<2.6.9
Apache Dubbo>=2.7.0<2.7.9
CVE-2021-30181
Apache Dubbo>=2.5.0<2.6.10
Apache Dubbo>=2.7.0<2.7.10
CVE-2021-30180
Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the ...
Apache Dubbo>=2.7.0<2.7.10
CVE-2021-30179
Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the serv...
Apache Dubbo>=2.5.0<=2.5.10
Apache Dubbo>=2.6.0<2.6.9
Apache Dubbo>=2.7.0<2.7.10
CVE-2021-25641
Apache Dubbo>=2.5.0<2.6.9
Apache Dubbo>=2.7.0<2.7.8
CVE-2019-17564
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of...
Apache Dubbo>=2.5.0<=2.5.10
Apache Dubbo>=2.6.0<=2.6.7
Apache Dubbo>=2.7.0<=2.7.4

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203