Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/58930?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/58930?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.13", "type": "maven", "namespace": "org.apache.dubbo", "name": "dubbo", "version": "2.7.13", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.7.21", "latest_non_vulnerable_version": "3.2.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42021?format=api", "vulnerability_id": "VCID-9ngc-j571-m3ck", "summary": "Deserialization of Untrusted Data\nA deserialization vulnerability existed in dubbo hessian-lite and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43297", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.46296", "scoring_system": "epss", "scoring_elements": "0.97717", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.46296", "scoring_system": "epss", "scoring_elements": "0.97712", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.46296", "scoring_system": "epss", "scoring_elements": "0.97716", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43297" }, { "reference_url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43297", "reference_id": "CVE-2021-43297", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43297" }, { "reference_url": "https://github.com/advisories/GHSA-vp5x-3v8r-qprw", "reference_id": "GHSA-vp5x-3v8r-qprw", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vp5x-3v8r-qprw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60096?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/60097?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.0.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.5" } ], "aliases": [ "CVE-2021-43297", "GHSA-vp5x-3v8r-qprw" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9ngc-j571-m3ck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/108845?format=api", "vulnerability_id": "VCID-ahzf-whmw-aue3", "summary": "Hessian Lite for Apache Dubbo deserialization vulnerability\nA deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39198", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.10341", "scoring_system": "epss", "scoring_elements": "0.93335", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.10341", "scoring_system": "epss", "scoring_elements": "0.93333", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.10341", "scoring_system": "epss", "scoring_elements": "0.93323", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.10341", "scoring_system": "epss", "scoring_elements": "0.93334", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39198" }, { "reference_url": "https://github.com/apache/dubbo-hessian-lite", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo-hessian-lite" }, { "reference_url": "https://github.com/apache/dubbo-hessian-lite/releases/tag/v3.2.13", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo-hessian-lite/releases/tag/v3.2.13" }, { "reference_url": "https://github.com/apache/dubbo/releases/tag/dubbo-2.7.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo/releases/tag/dubbo-2.7.18" }, { "reference_url": "https://github.com/apache/dubbo/releases/tag/dubbo-3.0.12", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo/releases/tag/dubbo-3.0.12" }, { "reference_url": "https://github.com/apache/dubbo/releases/tag/dubbo-3.1.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo/releases/tag/dubbo-3.1.1" }, { "reference_url": "https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-13T14:48:24Z/" } ], "url": "https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39198", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39198" }, { "reference_url": "https://github.com/advisories/GHSA-5qwq-g2hx-r6f7", "reference_id": "GHSA-5qwq-g2hx-r6f7", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5qwq-g2hx-r6f7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/145003?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/145005?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/145008?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4cur-ezpv-k7fx" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.1.1" } ], "aliases": [ "CVE-2022-39198", "GHSA-5qwq-g2hx-r6f7" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ahzf-whmw-aue3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44630?format=api", "vulnerability_id": "VCID-f4ha-rjpx-yfgb", "summary": "Deserialization of Untrusted Data\nA deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-23638", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.50291", "scoring_system": "epss", "scoring_elements": "0.97891", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.50291", "scoring_system": "epss", "scoring_elements": "0.97893", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.50291", "scoring_system": "epss", "scoring_elements": "0.97892", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.50291", "scoring_system": "epss", "scoring_elements": "0.97887", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-23638" }, { "reference_url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T16:41:19Z/" } ], "url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23638", "reference_id": "CVE-2023-23638", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23638" }, { "reference_url": "https://github.com/advisories/GHSA-933g-v89r-x8pf", "reference_id": "GHSA-933g-v89r-x8pf", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-933g-v89r-x8pf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64254?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/137669?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.22", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/64255?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.0.13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/64256?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.1.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3byz-42xs-3khg" }, { "vulnerability": "VCID-4cur-ezpv-k7fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.1.5" } ], "aliases": [ "CVE-2023-23638", "GHSA-933g-v89r-x8pf" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f4ha-rjpx-yfgb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110635?format=api", "vulnerability_id": "VCID-m7ca-pdzs-2yfd", "summary": "Server-side request forgery in Apache Dubbo\nbypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24969", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02387", "scoring_system": "epss", "scoring_elements": "0.85299", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02387", "scoring_system": "epss", "scoring_elements": "0.85328", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.02387", "scoring_system": "epss", "scoring_elements": "0.85322", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24969" }, { "reference_url": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24969", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24969" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25640", "reference_id": "CVE-2021-25640", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25640" }, { "reference_url": "https://github.com/advisories/GHSA-gm48-83x4-84jg", "reference_id": "GHSA-gm48-83x4-84jg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gm48-83x4-84jg" }, { "reference_url": "https://github.com/advisories/GHSA-gw4j-4229-q4px", "reference_id": "GHSA-gw4j-4229-q4px", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gw4j-4229-q4px" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60096?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.15" } ], "aliases": [ "CVE-2022-24969", "GHSA-gm48-83x4-84jg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m7ca-pdzs-2yfd" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41430?format=api", "vulnerability_id": "VCID-dj6s-gcjj-nuhr", "summary": "Deserialization of Untrusted Data\nIn Apache Dubbo, users may choose to use the Hessian protocol.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36163", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0121", "scoring_system": "epss", "scoring_elements": "0.79314", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0121", "scoring_system": "epss", "scoring_elements": "0.79338", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0121", "scoring_system": "epss", "scoring_elements": "0.79345", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0121", "scoring_system": "epss", "scoring_elements": "0.7934", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36163" }, { "reference_url": "https://github.com/apache/dubbo", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo" }, { "reference_url": "https://github.com/apache/dubbo/pull/8238", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo/pull/8238" }, { "reference_url": "https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10.1" }, { "reference_url": "https://github.com/apache/dubbo/releases/tag/dubbo-2.7.13", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo/releases/tag/dubbo-2.7.13" }, { "reference_url": "https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36163", "reference_id": "CVE-2021-36163", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36163" }, { "reference_url": "https://github.com/advisories/GHSA-cpx9-4rwv-486v", "reference_id": "GHSA-cpx9-4rwv-486v", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cpx9-4rwv-486v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/141182?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.6.10.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.6.10.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/58930?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" }, { "vulnerability": "VCID-m7ca-pdzs-2yfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/58931?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2" } ], "aliases": [ "CVE-2021-36163", "GHSA-cpx9-4rwv-486v" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dj6s-gcjj-nuhr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41449?format=api", "vulnerability_id": "VCID-h5n6-nuyj-dkcc", "summary": "Deserialization of Untrusted Data\nThe Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-37579", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02891", "scoring_system": "epss", "scoring_elements": "0.86582", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02891", "scoring_system": "epss", "scoring_elements": "0.866", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.02891", "scoring_system": "epss", "scoring_elements": "0.86605", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-37579" }, { "reference_url": "https://github.com/apache/dubbo", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo" }, { "reference_url": "https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37579", "reference_id": "CVE-2021-37579", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37579" }, { "reference_url": "https://github.com/advisories/GHSA-q897-9jxf-jg9r", "reference_id": "GHSA-q897-9jxf-jg9r", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q897-9jxf-jg9r" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58930?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" }, { "vulnerability": "VCID-m7ca-pdzs-2yfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/58931?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2" } ], "aliases": [ "CVE-2021-37579", "GHSA-q897-9jxf-jg9r" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h5n6-nuyj-dkcc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41450?format=api", "vulnerability_id": "VCID-psmu-bqpc-tkah", "summary": "Use of Externally-Controlled Format String\nA component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special `toString` method.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36161", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02734", "scoring_system": "epss", "scoring_elements": "0.86238", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02734", "scoring_system": "epss", "scoring_elements": "0.86258", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.02734", "scoring_system": "epss", "scoring_elements": "0.86261", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.02734", "scoring_system": "epss", "scoring_elements": "0.8626", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36161" }, { "reference_url": "https://github.com/apache/dubbo", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo" }, { "reference_url": "https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36161", "reference_id": "CVE-2021-36161", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36161" }, { "reference_url": "https://github.com/advisories/GHSA-qvm7-23cj-437v", "reference_id": "GHSA-qvm7-23cj-437v", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qvm7-23cj-437v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58930?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" }, { "vulnerability": "VCID-m7ca-pdzs-2yfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13" } ], "aliases": [ "CVE-2021-36161", "GHSA-qvm7-23cj-437v" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-psmu-bqpc-tkah" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41433?format=api", "vulnerability_id": "VCID-q32t-bhzw-kygq", "summary": "Code Injection\nApache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36162", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77505", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77496", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77469", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36162" }, { "reference_url": "https://github.com/apache/dubbo", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo" }, { "reference_url": "https://lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36162", "reference_id": "CVE-2021-36162", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36162" }, { "reference_url": "https://github.com/advisories/GHSA-r577-4hq7-73qh", "reference_id": "GHSA-r577-4hq7-73qh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r577-4hq7-73qh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58930?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" }, { "vulnerability": "VCID-m7ca-pdzs-2yfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/58931?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2" } ], "aliases": [ "CVE-2021-36162", "GHSA-r577-4hq7-73qh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q32t-bhzw-kygq" } ], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13" }