Search for packages
| purl | pkg:maven/org.apache.dubbo/dubbo@2.7.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2989-2ec6-jybq
Aliases: CVE-2021-25640 GHSA-gw4j-4229-q4px |
Server-Side Request Forgery (SSRF) In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability. |
Affected by 12 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-8cxs-6fuh-17fg
Aliases: CVE-2019-17564 GHSA-69wp-3pm3-hxgg |
Deserialization of Untrusted Data Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo. |
Affected by 16 other vulnerabilities. |
|
VCID-9cck-3q13-1kej
Aliases: CVE-2021-30179 GHSA-5mc7-m686-p6jg |
Deserialization of Untrusted Data Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call. |
Affected by 8 other vulnerabilities. |
|
VCID-9ngc-j571-m3ck
Aliases: CVE-2021-43297 GHSA-vp5x-3v8r-qprw |
Deserialization of Untrusted Data A deserialization vulnerability existed in dubbo hessian-lite and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-ahzf-whmw-aue3
Aliases: CVE-2022-39198 GHSA-5qwq-g2hx-r6f7 |
Hessian Lite for Apache Dubbo deserialization vulnerability A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. |
|
VCID-apmz-v6u5-8ygh
Aliases: CVE-2021-25641 GHSA-v2rg-8cwr-75g8 |
Deserialization of Untrusted Data Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following the server's instruction. This means that if a weak deserializer such as the Kryo and FST are somehow in code scope (e.g. if Kryo is somehow a part of a dependency), a remote unauthenticated attacker can tell the Provider to use the weak deserializer, and then proceed to exploit it. |
Affected by 13 other vulnerabilities. |
|
VCID-dj6s-gcjj-nuhr
Aliases: CVE-2021-36163 GHSA-cpx9-4rwv-486v |
Deserialization of Untrusted Data In Apache Dubbo, users may choose to use the Hessian protocol. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-eznq-hze7-kqfg
Aliases: CVE-2021-30181 GHSA-qmfc-6www-fjqw |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code. |
Affected by 8 other vulnerabilities. |
|
VCID-f4ha-rjpx-yfgb
Aliases: CVE-2023-23638 GHSA-933g-v89r-x8pf |
Deserialization of Untrusted Data A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-h5n6-nuyj-dkcc
Aliases: CVE-2021-37579 GHSA-q897-9jxf-jg9r |
Deserialization of Untrusted Data The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-m7ca-pdzs-2yfd
Aliases: CVE-2022-24969 GHSA-gm48-83x4-84jg |
Server-side request forgery in Apache Dubbo bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability. |
Affected by 2 other vulnerabilities. |
|
VCID-pjyr-9fcr-qbcr
Aliases: CVE-2021-30180 GHSA-7wfc-x4f7-gg2x |
Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) Apache Dubbo support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors. |
Affected by 8 other vulnerabilities. |
|
VCID-psmu-bqpc-tkah
Aliases: CVE-2021-36161 GHSA-qvm7-23cj-437v |
Use of Externally-Controlled Format String A component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special `toString` method. |
Affected by 4 other vulnerabilities. |
|
VCID-q32t-bhzw-kygq
Aliases: CVE-2021-36162 GHSA-r577-4hq7-73qh |
Code Injection Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-vmks-ba3d-ruf9
Aliases: CVE-2020-11995 GHSA-74mg-6xqx-2vrq |
Deserialization of Untrusted Data A deserialization vulnerability existed in dubbo and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. |
Affected by 13 other vulnerabilities. |
|
VCID-wg91-ny7q-ckgz
Aliases: CVE-2020-1948 GHSA-whww-v56c-cgv2 |
Deserialization of Untrusted Data This vulnerability can affect all Dubbo users stay on or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below. |
Affected by 15 other vulnerabilities. |
|
VCID-yj9m-e31v-bqcw
Aliases: CVE-2021-32824 GHSA-fprr-rrm8-4534 |
Apache Dubbo vulnerable to remote code execution via Telnet Handler Apache Dubbo is a Java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-authorization remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue. |
Affected by 8 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||