Skip to main content

Dubbo CVE-2023-46279

CRITICAL
Deserialization of Untrusted Data (CWE-502)
2023-12-15 security@apache.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Dec 15, 2023 - 09:15 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7 maven packages depend on org.apache.dubbo:dubbo (6 direct, 1 indirect)

Ecosystem-wide dependent count for version 3.1.5.

DescriptionNVD

Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5.

Users are recommended to upgrade to the latest version, which fixes the issue.

AnalysisAI

Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Deserialization of Untrusted Data (CWE-502), which allows attackers to execute arbitrary code through malicious serialized objects. Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5. Users are recommended to upgrade to the latest version, which fixes the issue. Affected products include: Apache Dubbo.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid deserializing untrusted data. Use safe serialization formats (JSON). Implement integrity checks and type allowlists.

More in Dubbo

View all
CVE-2023-29234 CRITICAL
9.8 Dec 15

A deserialization vulnerability existed when decode a malicious package.1.0 through 3.1.10, from 3.2.0 through 3.2.4. Ra

CVE-2023-23638 CRITICAL
9.8 Mar 08

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution.7.x vers

CVE-2022-39198 CRITICAL
9.8 Oct 18

A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malic

CVE-2021-37579 CRITICAL
9.8 Sep 09

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the con

CVE-2021-36161 CRITICAL
9.8 Sep 09

Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for

CVE-2021-36163 CRITICAL
9.8 Sep 07

In Apache Dubbo, users may choose to use the Hessian protocol. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-30181 CRITICAL
9.8 Jun 01

Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the r

CVE-2021-30180 CRITICAL
9.8 Jun 01

Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. R

CVE-2021-30179 CRITICAL
9.8 Jun 01

Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfa

CVE-2021-25641 CRITICAL
9.8 Jun 01

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on.

CVE-2020-1948 CRITICAL
9.8 Jul 14

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. Rated critical severity (CVSS 9.8), this v

CVE-2021-36162 HIGH
8.8 Sep 07

Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). Rate

Share

CVE-2023-46279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy