Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.dubbo/dubbo@2.7.10
Typemaven
Namespaceorg.apache.dubbo
Namedubbo
Version2.7.10
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.7.21
Latest_non_vulnerable_version3.2.5
Affected_by_vulnerabilities
0
url VCID-9ngc-j571-m3ck
vulnerability_id VCID-9ngc-j571-m3ck
summary 
Deserialization of Untrusted Data
A deserialization vulnerability existed in dubbo hessian-lite and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-43297
reference_id
reference_type
scores
0
value 0.46296
scoring_system epss
scoring_elements 0.97717
published_at 2026-06-06T12:55:00Z
1
value 0.46296
scoring_system epss
scoring_elements 0.97712
published_at 2026-06-04T12:55:00Z
2
value 0.46296
scoring_system epss
scoring_elements 0.97716
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-43297
1
reference_url https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-43297
reference_id CVE-2021-43297
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-43297
3
reference_url https://github.com/advisories/GHSA-vp5x-3v8r-qprw
reference_id GHSA-vp5x-3v8r-qprw
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vp5x-3v8r-qprw
fixed_packages
0
url pkg:maven/org.apache.dubbo/dubbo@2.7.15
purl pkg:maven/org.apache.dubbo/dubbo@2.7.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ahzf-whmw-aue3
1
vulnerability VCID-f4ha-rjpx-yfgb
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.15
1
url pkg:maven/org.apache.dubbo/dubbo@3.0.5
purl pkg:maven/org.apache.dubbo/dubbo@3.0.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ahzf-whmw-aue3
1
vulnerability VCID-f4ha-rjpx-yfgb
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.5
aliases CVE-2021-43297, GHSA-vp5x-3v8r-qprw
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9ngc-j571-m3ck
1
url VCID-ahzf-whmw-aue3
vulnerability_id VCID-ahzf-whmw-aue3
summary 
Hessian Lite for Apache Dubbo deserialization vulnerability
A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-39198
reference_id
reference_type
scores
0
value 0.10341
scoring_system epss
scoring_elements 0.93334
published_at 2026-06-05T12:55:00Z
1
value 0.10341
scoring_system epss
scoring_elements 0.93335
published_at 2026-06-06T12:55:00Z
2
value 0.10341
scoring_system epss
scoring_elements 0.93323
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-39198
1
reference_url https://github.com/apache/dubbo-hessian-lite
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/dubbo-hessian-lite
2
reference_url https://github.com/apache/dubbo-hessian-lite/releases/tag/v3.2.13
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/dubbo-hessian-lite/releases/tag/v3.2.13
3
reference_url https://github.com/apache/dubbo/releases/tag/dubbo-2.7.18
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/dubbo/releases/tag/dubbo-2.7.18
4
reference_url https://github.com/apache/dubbo/releases/tag/dubbo-3.0.12
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/dubbo/releases/tag/dubbo-3.0.12
5
reference_url https://github.com/apache/dubbo/releases/tag/dubbo-3.1.1
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/dubbo/releases/tag/dubbo-3.1.1
6
reference_url https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-13T14:48:24Z/
url https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-39198
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-39198
8
reference_url https://github.com/advisories/GHSA-5qwq-g2hx-r6f7
reference_id GHSA-5qwq-g2hx-r6f7
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5qwq-g2hx-r6f7
fixed_packages
0
url pkg:maven/org.apache.dubbo/dubbo@2.7.18
purl pkg:maven/org.apache.dubbo/dubbo@2.7.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-f4ha-rjpx-yfgb
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.18
1
url pkg:maven/org.apache.dubbo/dubbo@3.0.12
purl pkg:maven/org.apache.dubbo/dubbo@3.0.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-f4ha-rjpx-yfgb
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.12
2
url pkg:maven/org.apache.dubbo/dubbo@3.1.1
purl pkg:maven/org.apache.dubbo/dubbo@3.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4cur-ezpv-k7fx
1
vulnerability VCID-f4ha-rjpx-yfgb
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.1.1
aliases CVE-2022-39198, GHSA-5qwq-g2hx-r6f7
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ahzf-whmw-aue3
2
url VCID-dj6s-gcjj-nuhr
vulnerability_id VCID-dj6s-gcjj-nuhr
summary 
Deserialization of Untrusted Data
In Apache Dubbo, users may choose to use the Hessian protocol.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-36163
reference_id
reference_type
scores
0
value 0.0121
scoring_system epss
scoring_elements 0.79314
published_at 2026-06-04T12:55:00Z
1
value 0.0121
scoring_system epss
scoring_elements 0.79345
published_at 2026-06-06T12:55:00Z
2
value 0.0121
scoring_system epss
scoring_elements 0.7934
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-36163
1
reference_url https://github.com/apache/dubbo
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/dubbo
2
reference_url https://github.com/apache/dubbo/pull/8238
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/dubbo/pull/8238
3
reference_url https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10.1
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10.1
4
reference_url https://github.com/apache/dubbo/releases/tag/dubbo-2.7.13
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/dubbo/releases/tag/dubbo-2.7.13
5
reference_url https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-36163
reference_id CVE-2021-36163
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-36163
fixed_packages
0
url pkg:maven/org.apache.dubbo/dubbo@2.7.13
purl pkg:maven/org.apache.dubbo/dubbo@2.7.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9ngc-j571-m3ck
1
vulnerability VCID-ahzf-whmw-aue3
2
vulnerability VCID-f4ha-rjpx-yfgb
3
vulnerability VCID-m7ca-pdzs-2yfd
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13
1
url pkg:maven/org.apache.dubbo/dubbo@3.0.2
purl pkg:maven/org.apache.dubbo/dubbo@3.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9ngc-j571-m3ck
1
vulnerability VCID-ahzf-whmw-aue3
2
vulnerability VCID-f4ha-rjpx-yfgb
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2
aliases CVE-2021-36163, GHSA-cpx9-4rwv-486v
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dj6s-gcjj-nuhr
3
url VCID-f4ha-rjpx-yfgb
vulnerability_id VCID-f4ha-rjpx-yfgb
summary 
Deserialization of Untrusted Data
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-23638
reference_id
reference_type
scores
0
value 0.50291
scoring_system epss
scoring_elements 0.97892
published_at 2026-06-06T12:55:00Z
1
value 0.50291
scoring_system epss
scoring_elements 0.97887
published_at 2026-06-04T12:55:00Z
2
value 0.50291
scoring_system epss
scoring_elements 0.97891
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-23638
1
reference_url https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb
reference_id
reference_type
scores
0
value 5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T16:41:19Z/
url https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-23638
reference_id CVE-2023-23638
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-23638
3
reference_url https://github.com/advisories/GHSA-933g-v89r-x8pf
reference_id GHSA-933g-v89r-x8pf
reference_type
scores
url https://github.com/advisories/GHSA-933g-v89r-x8pf
fixed_packages
0
url pkg:maven/org.apache.dubbo/dubbo@2.7.21
purl pkg:maven/org.apache.dubbo/dubbo@2.7.21
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.21
1
url pkg:maven/org.apache.dubbo/dubbo@2.7.22
purl pkg:maven/org.apache.dubbo/dubbo@2.7.22
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.22
2
url pkg:maven/org.apache.dubbo/dubbo@3.0.13
purl pkg:maven/org.apache.dubbo/dubbo@3.0.13
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.13
3
url pkg:maven/org.apache.dubbo/dubbo@3.1.5
purl pkg:maven/org.apache.dubbo/dubbo@3.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3byz-42xs-3khg
1
vulnerability VCID-4cur-ezpv-k7fx
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.1.5
aliases CVE-2023-23638, GHSA-933g-v89r-x8pf
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f4ha-rjpx-yfgb
4
url VCID-h5n6-nuyj-dkcc
vulnerability_id VCID-h5n6-nuyj-dkcc
summary 
Deserialization of Untrusted Data
The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-37579
reference_id
reference_type
scores
0
value 0.02891
scoring_system epss
scoring_elements 0.86582
published_at 2026-06-04T12:55:00Z
1
value 0.02891
scoring_system epss
scoring_elements 0.86605
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-37579
1
reference_url https://github.com/apache/dubbo
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/dubbo
2
reference_url https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-37579
reference_id CVE-2021-37579
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-37579
fixed_packages
0
url pkg:maven/org.apache.dubbo/dubbo@2.7.13
purl pkg:maven/org.apache.dubbo/dubbo@2.7.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9ngc-j571-m3ck
1
vulnerability VCID-ahzf-whmw-aue3
2
vulnerability VCID-f4ha-rjpx-yfgb
3
vulnerability VCID-m7ca-pdzs-2yfd
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13
1
url pkg:maven/org.apache.dubbo/dubbo@3.0.2
purl pkg:maven/org.apache.dubbo/dubbo@3.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9ngc-j571-m3ck
1
vulnerability VCID-ahzf-whmw-aue3
2
vulnerability VCID-f4ha-rjpx-yfgb
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2
aliases CVE-2021-37579, GHSA-q897-9jxf-jg9r
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h5n6-nuyj-dkcc
5
url VCID-m7ca-pdzs-2yfd
vulnerability_id VCID-m7ca-pdzs-2yfd
summary 
Server-side request forgery in Apache Dubbo
bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-24969
reference_id
reference_type
scores
0
value 0.02387
scoring_system epss
scoring_elements 0.85299
published_at 2026-06-04T12:55:00Z
1
value 0.02387
scoring_system epss
scoring_elements 0.85328
published_at 2026-06-06T12:55:00Z
2
value 0.02387
scoring_system epss
scoring_elements 0.85322
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-24969
1
reference_url https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-24969
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-24969
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-25640
reference_id CVE-2021-25640
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-25640
4
reference_url https://github.com/advisories/GHSA-gm48-83x4-84jg
reference_id GHSA-gm48-83x4-84jg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gm48-83x4-84jg
5
reference_url https://github.com/advisories/GHSA-gw4j-4229-q4px
reference_id GHSA-gw4j-4229-q4px
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-gw4j-4229-q4px
fixed_packages
0
url pkg:maven/org.apache.dubbo/dubbo@2.7.15
purl pkg:maven/org.apache.dubbo/dubbo@2.7.15
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-ahzf-whmw-aue3
1
vulnerability VCID-f4ha-rjpx-yfgb
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.15
aliases CVE-2022-24969, GHSA-gm48-83x4-84jg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m7ca-pdzs-2yfd
6
url VCID-psmu-bqpc-tkah
vulnerability_id VCID-psmu-bqpc-tkah
summary 
Use of Externally-Controlled Format String
A component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special `toString` method.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-36161
reference_id
reference_type
scores
0
value 0.02734
scoring_system epss
scoring_elements 0.86238
published_at 2026-06-04T12:55:00Z
1
value 0.02734
scoring_system epss
scoring_elements 0.86261
published_at 2026-06-06T12:55:00Z
2
value 0.02734
scoring_system epss
scoring_elements 0.8626
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-36161
1
reference_url https://github.com/apache/dubbo
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/dubbo
2
reference_url https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-36161
reference_id CVE-2021-36161
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-36161
fixed_packages
0
url pkg:maven/org.apache.dubbo/dubbo@2.7.13
purl pkg:maven/org.apache.dubbo/dubbo@2.7.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9ngc-j571-m3ck
1
vulnerability VCID-ahzf-whmw-aue3
2
vulnerability VCID-f4ha-rjpx-yfgb
3
vulnerability VCID-m7ca-pdzs-2yfd
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13
aliases CVE-2021-36161, GHSA-qvm7-23cj-437v
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-psmu-bqpc-tkah
7
url VCID-q32t-bhzw-kygq
vulnerability_id VCID-q32t-bhzw-kygq
summary 
Code Injection
Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-36162
reference_id
reference_type
scores
0
value 0.01012
scoring_system epss
scoring_elements 0.77469
published_at 2026-06-04T12:55:00Z
1
value 0.01012
scoring_system epss
scoring_elements 0.77505
published_at 2026-06-06T12:55:00Z
2
value 0.01012
scoring_system epss
scoring_elements 0.77496
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-36162
1
reference_url https://github.com/apache/dubbo
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/dubbo
2
reference_url https://lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3E
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3E
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-36162
reference_id CVE-2021-36162
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-36162
fixed_packages
0
url pkg:maven/org.apache.dubbo/dubbo@2.7.13
purl pkg:maven/org.apache.dubbo/dubbo@2.7.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9ngc-j571-m3ck
1
vulnerability VCID-ahzf-whmw-aue3
2
vulnerability VCID-f4ha-rjpx-yfgb
3
vulnerability VCID-m7ca-pdzs-2yfd
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13
1
url pkg:maven/org.apache.dubbo/dubbo@3.0.2
purl pkg:maven/org.apache.dubbo/dubbo@3.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9ngc-j571-m3ck
1
vulnerability VCID-ahzf-whmw-aue3
2
vulnerability VCID-f4ha-rjpx-yfgb
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2
aliases CVE-2021-36162, GHSA-r577-4hq7-73qh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q32t-bhzw-kygq
Fixing_vulnerabilities
0
url VCID-2989-2ec6-jybq
vulnerability_id VCID-2989-2ec6-jybq
summary 
Server-Side Request Forgery (SSRF)
In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-25640
reference_id
reference_type
scores
0
value 0.00705
scoring_system epss
scoring_elements 0.72483
published_at 2026-06-04T12:55:00Z
1
value 0.00705
scoring_system epss
scoring_elements 0.72532
published_at 2026-06-06T12:55:00Z
2
value 0.00705
scoring_system epss
scoring_elements 0.72525
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-25640
1
reference_url https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77@%3Cdev.dubbo.apache.org%3E
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77@%3Cdev.dubbo.apache.org%3E
2
reference_url https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-25640
reference_id CVE-2021-25640
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-25640
4
reference_url https://github.com/advisories/GHSA-gw4j-4229-q4px
reference_id GHSA-gw4j-4229-q4px
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gw4j-4229-q4px
fixed_packages
0
url pkg:maven/org.apache.dubbo/dubbo@2.6.9
purl pkg:maven/org.apache.dubbo/dubbo@2.6.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.6.9
1
url pkg:maven/org.apache.dubbo/dubbo@2.7.9
purl pkg:maven/org.apache.dubbo/dubbo@2.7.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9cck-3q13-1kej
1
vulnerability VCID-9ngc-j571-m3ck
2
vulnerability VCID-ahzf-whmw-aue3
3
vulnerability VCID-dj6s-gcjj-nuhr
4
vulnerability VCID-eznq-hze7-kqfg
5
vulnerability VCID-f4ha-rjpx-yfgb
6
vulnerability VCID-h5n6-nuyj-dkcc
7
vulnerability VCID-m7ca-pdzs-2yfd
8
vulnerability VCID-pjyr-9fcr-qbcr
9
vulnerability VCID-psmu-bqpc-tkah
10
vulnerability VCID-q32t-bhzw-kygq
11
vulnerability VCID-yj9m-e31v-bqcw
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.9
2
url pkg:maven/org.apache.dubbo/dubbo@2.7.10
purl pkg:maven/org.apache.dubbo/dubbo@2.7.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9ngc-j571-m3ck
1
vulnerability VCID-ahzf-whmw-aue3
2
vulnerability VCID-dj6s-gcjj-nuhr
3
vulnerability VCID-f4ha-rjpx-yfgb
4
vulnerability VCID-h5n6-nuyj-dkcc
5
vulnerability VCID-m7ca-pdzs-2yfd
6
vulnerability VCID-psmu-bqpc-tkah
7
vulnerability VCID-q32t-bhzw-kygq
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10
aliases CVE-2021-25640, GHSA-gw4j-4229-q4px
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2989-2ec6-jybq
1
url VCID-9cck-3q13-1kej
vulnerability_id VCID-9cck-3q13-1kej
summary 
Deserialization of Untrusted Data
Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-30179
reference_id
reference_type
scores
0
value 0.02183
scoring_system epss
scoring_elements 0.84672
published_at 2026-06-04T12:55:00Z
1
value 0.02183
scoring_system epss
scoring_elements 0.847
published_at 2026-06-06T12:55:00Z
2
value 0.02183
scoring_system epss
scoring_elements 0.84696
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-30179
1
reference_url https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67@%3Cdev.dubbo.apache.org%3E
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67@%3Cdev.dubbo.apache.org%3E
2
reference_url https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-30179
reference_id CVE-2021-30179
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-30179
4
reference_url https://github.com/advisories/GHSA-5mc7-m686-p6jg
reference_id GHSA-5mc7-m686-p6jg
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5mc7-m686-p6jg
fixed_packages
0
url pkg:maven/org.apache.dubbo/dubbo@2.7.10
purl pkg:maven/org.apache.dubbo/dubbo@2.7.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9ngc-j571-m3ck
1
vulnerability VCID-ahzf-whmw-aue3
2
vulnerability VCID-dj6s-gcjj-nuhr
3
vulnerability VCID-f4ha-rjpx-yfgb
4
vulnerability VCID-h5n6-nuyj-dkcc
5
vulnerability VCID-m7ca-pdzs-2yfd
6
vulnerability VCID-psmu-bqpc-tkah
7
vulnerability VCID-q32t-bhzw-kygq
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10
aliases CVE-2021-30179, GHSA-5mc7-m686-p6jg
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9cck-3q13-1kej
2
url VCID-eznq-hze7-kqfg
vulnerability_id VCID-eznq-hze7-kqfg
summary 
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-30181
reference_id
reference_type
scores
0
value 0.03871
scoring_system epss
scoring_elements 0.88462
published_at 2026-06-06T12:55:00Z
1
value 0.03871
scoring_system epss
scoring_elements 0.88442
published_at 2026-06-04T12:55:00Z
2
value 0.03871
scoring_system epss
scoring_elements 0.8846
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-30181
1
reference_url https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-30181
reference_id CVE-2021-30181
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-30181
3
reference_url https://github.com/advisories/GHSA-qmfc-6www-fjqw
reference_id GHSA-qmfc-6www-fjqw
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qmfc-6www-fjqw
fixed_packages
0
url pkg:maven/org.apache.dubbo/dubbo@2.7.10
purl pkg:maven/org.apache.dubbo/dubbo@2.7.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9ngc-j571-m3ck
1
vulnerability VCID-ahzf-whmw-aue3
2
vulnerability VCID-dj6s-gcjj-nuhr
3
vulnerability VCID-f4ha-rjpx-yfgb
4
vulnerability VCID-h5n6-nuyj-dkcc
5
vulnerability VCID-m7ca-pdzs-2yfd
6
vulnerability VCID-psmu-bqpc-tkah
7
vulnerability VCID-q32t-bhzw-kygq
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10
aliases CVE-2021-30181, GHSA-qmfc-6www-fjqw
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-eznq-hze7-kqfg
3
url VCID-pjyr-9fcr-qbcr
vulnerability_id VCID-pjyr-9fcr-qbcr
summary 
Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling)
Apache Dubbo support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-30180
reference_id
reference_type
scores
0
value 0.04398
scoring_system epss
scoring_elements 0.89204
published_at 2026-06-06T12:55:00Z
1
value 0.04398
scoring_system epss
scoring_elements 0.89186
published_at 2026-06-04T12:55:00Z
2
value 0.04398
scoring_system epss
scoring_elements 0.89202
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-30180
1
reference_url https://lists.apache.org/thread.html/raed526465e56204030ddf374b1959478a290e7511971d7aba2e9e39b%40%3Cdev.dubbo.apache.org%3E
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread.html/raed526465e56204030ddf374b1959478a290e7511971d7aba2e9e39b%40%3Cdev.dubbo.apache.org%3E
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-30180
reference_id CVE-2021-30180
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-30180
3
reference_url https://github.com/advisories/GHSA-7wfc-x4f7-gg2x
reference_id GHSA-7wfc-x4f7-gg2x
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7wfc-x4f7-gg2x
fixed_packages
0
url pkg:maven/org.apache.dubbo/dubbo@2.7.10
purl pkg:maven/org.apache.dubbo/dubbo@2.7.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9ngc-j571-m3ck
1
vulnerability VCID-ahzf-whmw-aue3
2
vulnerability VCID-dj6s-gcjj-nuhr
3
vulnerability VCID-f4ha-rjpx-yfgb
4
vulnerability VCID-h5n6-nuyj-dkcc
5
vulnerability VCID-m7ca-pdzs-2yfd
6
vulnerability VCID-psmu-bqpc-tkah
7
vulnerability VCID-q32t-bhzw-kygq
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10
aliases CVE-2021-30180, GHSA-7wfc-x4f7-gg2x
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pjyr-9fcr-qbcr
4
url VCID-yj9m-e31v-bqcw
vulnerability_id VCID-yj9m-e31v-bqcw
summary 
Apache Dubbo vulnerable to remote code execution via Telnet Handler
Apache Dubbo is a Java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-authorization remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. 

Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. 

Versions 2.6.10 and 2.7.10 contain fixes for this issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-32824
reference_id
reference_type
scores
0
value 0.05859
scoring_system epss
scoring_elements 0.90725
published_at 2026-06-04T12:55:00Z
1
value 0.05859
scoring_system epss
scoring_elements 0.90737
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-32824
1
reference_url https://github.com/apache/dubbo
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/apache/dubbo
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-32824
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-32824
3
reference_url https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo
4
reference_url https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/
reference_id
reference_type
scores
0
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:39Z/
url https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/
5
reference_url https://github.com/advisories/GHSA-fprr-rrm8-4534
reference_id GHSA-fprr-rrm8-4534
reference_type
scores
url https://github.com/advisories/GHSA-fprr-rrm8-4534
fixed_packages
0
url pkg:maven/org.apache.dubbo/dubbo@2.6.10
purl pkg:maven/org.apache.dubbo/dubbo@2.6.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.6.10
1
url pkg:maven/org.apache.dubbo/dubbo@2.7.10
purl pkg:maven/org.apache.dubbo/dubbo@2.7.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9ngc-j571-m3ck
1
vulnerability VCID-ahzf-whmw-aue3
2
vulnerability VCID-dj6s-gcjj-nuhr
3
vulnerability VCID-f4ha-rjpx-yfgb
4
vulnerability VCID-h5n6-nuyj-dkcc
5
vulnerability VCID-m7ca-pdzs-2yfd
6
vulnerability VCID-psmu-bqpc-tkah
7
vulnerability VCID-q32t-bhzw-kygq
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10
aliases CVE-2021-32824, GHSA-fprr-rrm8-4534
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yj9m-e31v-bqcw
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10