{"url":"http://public2.vulnerablecode.io/api/packages/80914?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.10","type":"maven","namespace":"org.apache.dubbo","name":"dubbo","version":"2.7.10","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.7.21","latest_non_vulnerable_version":"3.2.5","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42021?format=json","vulnerability_id":"VCID-9ngc-j571-m3ck","summary":"Deserialization of Untrusted Data\nA deserialization vulnerability existed in dubbo hessian-lite and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43297","reference_id":"","reference_type":"","scores":[{"value":"0.46296","scoring_system":"epss","scoring_elements":"0.97717","published_at":"2026-06-07T12:55:00Z"},{"value":"0.46296","scoring_system":"epss","scoring_elements":"0.97712","published_at":"2026-06-04T12:55:00Z"},{"value":"0.46296","scoring_system":"epss","scoring_elements":"0.97716","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-43297"},{"reference_url":"https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43297","reference_id":"CVE-2021-43297","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43297"},{"reference_url":"https://github.com/advisories/GHSA-vp5x-3v8r-qprw","reference_id":"GHSA-vp5x-3v8r-qprw","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vp5x-3v8r-qprw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60096?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.15"},{"url":"http://public2.vulnerablecode.io/api/packages/60097?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.5"}],"aliases":["CVE-2021-43297","GHSA-vp5x-3v8r-qprw"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9ngc-j571-m3ck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/108845?format=json","vulnerability_id":"VCID-ahzf-whmw-aue3","summary":"Hessian Lite for Apache Dubbo deserialization vulnerability\nA deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39198","reference_id":"","reference_type":"","scores":[{"value":"0.10341","scoring_system":"epss","scoring_elements":"0.93335","published_at":"2026-06-06T12:55:00Z"},{"value":"0.10341","scoring_system":"epss","scoring_elements":"0.93333","published_at":"2026-06-07T12:55:00Z"},{"value":"0.10341","scoring_system":"epss","scoring_elements":"0.93323","published_at":"2026-06-04T12:55:00Z"},{"value":"0.10341","scoring_system":"epss","scoring_elements":"0.93334","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-39198"},{"reference_url":"https://github.com/apache/dubbo-hessian-lite","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo-hessian-lite"},{"reference_url":"https://github.com/apache/dubbo-hessian-lite/releases/tag/v3.2.13","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo-hessian-lite/releases/tag/v3.2.13"},{"reference_url":"https://github.com/apache/dubbo/releases/tag/dubbo-2.7.18","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo/releases/tag/dubbo-2.7.18"},{"reference_url":"https://github.com/apache/dubbo/releases/tag/dubbo-3.0.12","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo/releases/tag/dubbo-3.0.12"},{"reference_url":"https://github.com/apache/dubbo/releases/tag/dubbo-3.1.1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo/releases/tag/dubbo-3.1.1"},{"reference_url":"https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-13T14:48:24Z/"}],"url":"https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39198","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39198"},{"reference_url":"https://github.com/advisories/GHSA-5qwq-g2hx-r6f7","reference_id":"GHSA-5qwq-g2hx-r6f7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5qwq-g2hx-r6f7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/145003?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.18"},{"url":"http://public2.vulnerablecode.io/api/packages/145005?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.0.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.12"},{"url":"http://public2.vulnerablecode.io/api/packages/145008?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4cur-ezpv-k7fx"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.1.1"}],"aliases":["CVE-2022-39198","GHSA-5qwq-g2hx-r6f7"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ahzf-whmw-aue3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41430?format=json","vulnerability_id":"VCID-dj6s-gcjj-nuhr","summary":"Deserialization of Untrusted Data\nIn Apache Dubbo, users may choose to use the Hessian protocol.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36163","reference_id":"","reference_type":"","scores":[{"value":"0.0121","scoring_system":"epss","scoring_elements":"0.79314","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0121","scoring_system":"epss","scoring_elements":"0.79338","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0121","scoring_system":"epss","scoring_elements":"0.79345","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0121","scoring_system":"epss","scoring_elements":"0.7934","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36163"},{"reference_url":"https://github.com/apache/dubbo","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo"},{"reference_url":"https://github.com/apache/dubbo/pull/8238","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo/pull/8238"},{"reference_url":"https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10.1","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10.1"},{"reference_url":"https://github.com/apache/dubbo/releases/tag/dubbo-2.7.13","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo/releases/tag/dubbo-2.7.13"},{"reference_url":"https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36163","reference_id":"CVE-2021-36163","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36163"},{"reference_url":"https://github.com/advisories/GHSA-cpx9-4rwv-486v","reference_id":"GHSA-cpx9-4rwv-486v","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cpx9-4rwv-486v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58930?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"},{"vulnerability":"VCID-m7ca-pdzs-2yfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13"},{"url":"http://public2.vulnerablecode.io/api/packages/58931?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2"}],"aliases":["CVE-2021-36163","GHSA-cpx9-4rwv-486v"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dj6s-gcjj-nuhr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44630?format=json","vulnerability_id":"VCID-f4ha-rjpx-yfgb","summary":"Deserialization of Untrusted Data\nA deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-23638","reference_id":"","reference_type":"","scores":[{"value":"0.50291","scoring_system":"epss","scoring_elements":"0.97891","published_at":"2026-06-05T12:55:00Z"},{"value":"0.50291","scoring_system":"epss","scoring_elements":"0.97893","published_at":"2026-06-07T12:55:00Z"},{"value":"0.50291","scoring_system":"epss","scoring_elements":"0.97892","published_at":"2026-06-06T12:55:00Z"},{"value":"0.50291","scoring_system":"epss","scoring_elements":"0.97887","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-23638"},{"reference_url":"https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb","reference_id":"","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T16:41:19Z/"}],"url":"https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23638","reference_id":"CVE-2023-23638","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23638"},{"reference_url":"https://github.com/advisories/GHSA-933g-v89r-x8pf","reference_id":"GHSA-933g-v89r-x8pf","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-933g-v89r-x8pf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64254?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.21","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.21"},{"url":"http://public2.vulnerablecode.io/api/packages/137669?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.22","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.22"},{"url":"http://public2.vulnerablecode.io/api/packages/64255?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.0.13","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.13"},{"url":"http://public2.vulnerablecode.io/api/packages/64256?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.1.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3byz-42xs-3khg"},{"vulnerability":"VCID-4cur-ezpv-k7fx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.1.5"}],"aliases":["CVE-2023-23638","GHSA-933g-v89r-x8pf"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f4ha-rjpx-yfgb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41449?format=json","vulnerability_id":"VCID-h5n6-nuyj-dkcc","summary":"Deserialization of Untrusted Data\nThe Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37579","reference_id":"","reference_type":"","scores":[{"value":"0.02891","scoring_system":"epss","scoring_elements":"0.86582","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02891","scoring_system":"epss","scoring_elements":"0.866","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02891","scoring_system":"epss","scoring_elements":"0.86605","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37579"},{"reference_url":"https://github.com/apache/dubbo","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo"},{"reference_url":"https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37579","reference_id":"CVE-2021-37579","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37579"},{"reference_url":"https://github.com/advisories/GHSA-q897-9jxf-jg9r","reference_id":"GHSA-q897-9jxf-jg9r","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q897-9jxf-jg9r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58930?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"},{"vulnerability":"VCID-m7ca-pdzs-2yfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13"},{"url":"http://public2.vulnerablecode.io/api/packages/58931?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2"}],"aliases":["CVE-2021-37579","GHSA-q897-9jxf-jg9r"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h5n6-nuyj-dkcc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/110635?format=json","vulnerability_id":"VCID-m7ca-pdzs-2yfd","summary":"Server-side request forgery in Apache Dubbo\nbypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24969","reference_id":"","reference_type":"","scores":[{"value":"0.02387","scoring_system":"epss","scoring_elements":"0.85299","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02387","scoring_system":"epss","scoring_elements":"0.85328","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02387","scoring_system":"epss","scoring_elements":"0.85322","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24969"},{"reference_url":"https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24969","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24969"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25640","reference_id":"CVE-2021-25640","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25640"},{"reference_url":"https://github.com/advisories/GHSA-gm48-83x4-84jg","reference_id":"GHSA-gm48-83x4-84jg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gm48-83x4-84jg"},{"reference_url":"https://github.com/advisories/GHSA-gw4j-4229-q4px","reference_id":"GHSA-gw4j-4229-q4px","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gw4j-4229-q4px"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60096?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.15"}],"aliases":["CVE-2022-24969","GHSA-gm48-83x4-84jg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m7ca-pdzs-2yfd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41450?format=json","vulnerability_id":"VCID-psmu-bqpc-tkah","summary":"Use of Externally-Controlled Format String\nA component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special `toString` method.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36161","reference_id":"","reference_type":"","scores":[{"value":"0.02734","scoring_system":"epss","scoring_elements":"0.86238","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02734","scoring_system":"epss","scoring_elements":"0.86258","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02734","scoring_system":"epss","scoring_elements":"0.86261","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02734","scoring_system":"epss","scoring_elements":"0.8626","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36161"},{"reference_url":"https://github.com/apache/dubbo","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo"},{"reference_url":"https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36161","reference_id":"CVE-2021-36161","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36161"},{"reference_url":"https://github.com/advisories/GHSA-qvm7-23cj-437v","reference_id":"GHSA-qvm7-23cj-437v","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qvm7-23cj-437v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58930?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"},{"vulnerability":"VCID-m7ca-pdzs-2yfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13"}],"aliases":["CVE-2021-36161","GHSA-qvm7-23cj-437v"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-psmu-bqpc-tkah"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41433?format=json","vulnerability_id":"VCID-q32t-bhzw-kygq","summary":"Code Injection\nApache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36162","reference_id":"","reference_type":"","scores":[{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77505","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77496","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01012","scoring_system":"epss","scoring_elements":"0.77469","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-36162"},{"reference_url":"https://github.com/apache/dubbo","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo"},{"reference_url":"https://lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36162","reference_id":"CVE-2021-36162","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-36162"},{"reference_url":"https://github.com/advisories/GHSA-r577-4hq7-73qh","reference_id":"GHSA-r577-4hq7-73qh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r577-4hq7-73qh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58930?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.13","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"},{"vulnerability":"VCID-m7ca-pdzs-2yfd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13"},{"url":"http://public2.vulnerablecode.io/api/packages/58931?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@3.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2"}],"aliases":["CVE-2021-36162","GHSA-r577-4hq7-73qh"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q32t-bhzw-kygq"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42750?format=json","vulnerability_id":"VCID-2989-2ec6-jybq","summary":"Server-Side Request Forgery (SSRF)\nIn Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25640","reference_id":"","reference_type":"","scores":[{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72483","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72512","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72532","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00705","scoring_system":"epss","scoring_elements":"0.72525","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25640"},{"reference_url":"https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77@%3Cdev.dubbo.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77@%3Cdev.dubbo.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25640","reference_id":"CVE-2021-25640","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25640"},{"reference_url":"https://github.com/advisories/GHSA-gw4j-4229-q4px","reference_id":"GHSA-gw4j-4229-q4px","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gw4j-4229-q4px"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80921?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.6.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.6.9"},{"url":"http://public2.vulnerablecode.io/api/packages/80922?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9cck-3q13-1kej"},{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-dj6s-gcjj-nuhr"},{"vulnerability":"VCID-eznq-hze7-kqfg"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"},{"vulnerability":"VCID-h5n6-nuyj-dkcc"},{"vulnerability":"VCID-m7ca-pdzs-2yfd"},{"vulnerability":"VCID-pjyr-9fcr-qbcr"},{"vulnerability":"VCID-psmu-bqpc-tkah"},{"vulnerability":"VCID-q32t-bhzw-kygq"},{"vulnerability":"VCID-yj9m-e31v-bqcw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.9"},{"url":"http://public2.vulnerablecode.io/api/packages/80914?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-dj6s-gcjj-nuhr"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"},{"vulnerability":"VCID-h5n6-nuyj-dkcc"},{"vulnerability":"VCID-m7ca-pdzs-2yfd"},{"vulnerability":"VCID-psmu-bqpc-tkah"},{"vulnerability":"VCID-q32t-bhzw-kygq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10"}],"aliases":["CVE-2021-25640","GHSA-gw4j-4229-q4px"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2989-2ec6-jybq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42739?format=json","vulnerability_id":"VCID-9cck-3q13-1kej","summary":"Deserialization of Untrusted Data\nApache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-30179","reference_id":"","reference_type":"","scores":[{"value":"0.02183","scoring_system":"epss","scoring_elements":"0.84672","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02183","scoring_system":"epss","scoring_elements":"0.84694","published_at":"2026-06-07T12:55:00Z"},{"value":"0.02183","scoring_system":"epss","scoring_elements":"0.847","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02183","scoring_system":"epss","scoring_elements":"0.84696","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-30179"},{"reference_url":"https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67@%3Cdev.dubbo.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67@%3Cdev.dubbo.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-30179","reference_id":"CVE-2021-30179","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-30179"},{"reference_url":"https://github.com/advisories/GHSA-5mc7-m686-p6jg","reference_id":"GHSA-5mc7-m686-p6jg","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5mc7-m686-p6jg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80914?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-dj6s-gcjj-nuhr"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"},{"vulnerability":"VCID-h5n6-nuyj-dkcc"},{"vulnerability":"VCID-m7ca-pdzs-2yfd"},{"vulnerability":"VCID-psmu-bqpc-tkah"},{"vulnerability":"VCID-q32t-bhzw-kygq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10"}],"aliases":["CVE-2021-30179","GHSA-5mc7-m686-p6jg"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9cck-3q13-1kej"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42740?format=json","vulnerability_id":"VCID-eznq-hze7-kqfg","summary":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\nApache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-30181","reference_id":"","reference_type":"","scores":[{"value":"0.03871","scoring_system":"epss","scoring_elements":"0.88461","published_at":"2026-06-07T12:55:00Z"},{"value":"0.03871","scoring_system":"epss","scoring_elements":"0.88442","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03871","scoring_system":"epss","scoring_elements":"0.8846","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03871","scoring_system":"epss","scoring_elements":"0.88462","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-30181"},{"reference_url":"https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-30181","reference_id":"CVE-2021-30181","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-30181"},{"reference_url":"https://github.com/advisories/GHSA-qmfc-6www-fjqw","reference_id":"GHSA-qmfc-6www-fjqw","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qmfc-6www-fjqw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80914?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-dj6s-gcjj-nuhr"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"},{"vulnerability":"VCID-h5n6-nuyj-dkcc"},{"vulnerability":"VCID-m7ca-pdzs-2yfd"},{"vulnerability":"VCID-psmu-bqpc-tkah"},{"vulnerability":"VCID-q32t-bhzw-kygq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10"}],"aliases":["CVE-2021-30181","GHSA-qmfc-6www-fjqw"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eznq-hze7-kqfg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54557?format=json","vulnerability_id":"VCID-pjyr-9fcr-qbcr","summary":"Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling)\nApache Dubbo support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-30180","reference_id":"","reference_type":"","scores":[{"value":"0.04398","scoring_system":"epss","scoring_elements":"0.89203","published_at":"2026-06-07T12:55:00Z"},{"value":"0.04398","scoring_system":"epss","scoring_elements":"0.89186","published_at":"2026-06-04T12:55:00Z"},{"value":"0.04398","scoring_system":"epss","scoring_elements":"0.89202","published_at":"2026-06-05T12:55:00Z"},{"value":"0.04398","scoring_system":"epss","scoring_elements":"0.89204","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-30180"},{"reference_url":"https://lists.apache.org/thread.html/raed526465e56204030ddf374b1959478a290e7511971d7aba2e9e39b%40%3Cdev.dubbo.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/raed526465e56204030ddf374b1959478a290e7511971d7aba2e9e39b%40%3Cdev.dubbo.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-30180","reference_id":"CVE-2021-30180","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-30180"},{"reference_url":"https://github.com/advisories/GHSA-7wfc-x4f7-gg2x","reference_id":"GHSA-7wfc-x4f7-gg2x","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7wfc-x4f7-gg2x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80914?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-dj6s-gcjj-nuhr"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"},{"vulnerability":"VCID-h5n6-nuyj-dkcc"},{"vulnerability":"VCID-m7ca-pdzs-2yfd"},{"vulnerability":"VCID-psmu-bqpc-tkah"},{"vulnerability":"VCID-q32t-bhzw-kygq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10"}],"aliases":["CVE-2021-30180","GHSA-7wfc-x4f7-gg2x"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pjyr-9fcr-qbcr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/106085?format=json","vulnerability_id":"VCID-yj9m-e31v-bqcw","summary":"Apache Dubbo vulnerable to remote code execution via Telnet Handler\nApache Dubbo is a Java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-authorization remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. \n\nAdditionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. \n\nVersions 2.6.10 and 2.7.10 contain fixes for this issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32824","reference_id":"","reference_type":"","scores":[{"value":"0.05859","scoring_system":"epss","scoring_elements":"0.90734","published_at":"2026-06-07T12:55:00Z"},{"value":"0.05859","scoring_system":"epss","scoring_elements":"0.90725","published_at":"2026-06-04T12:55:00Z"},{"value":"0.05859","scoring_system":"epss","scoring_elements":"0.90737","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32824"},{"reference_url":"https://github.com/apache/dubbo","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/dubbo"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32824","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32824"},{"reference_url":"https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo"},{"reference_url":"https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:39Z/"}],"url":"https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"},{"reference_url":"https://github.com/advisories/GHSA-fprr-rrm8-4534","reference_id":"GHSA-fprr-rrm8-4534","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fprr-rrm8-4534"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/504925?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.6.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dj6s-gcjj-nuhr"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.6.10"},{"url":"http://public2.vulnerablecode.io/api/packages/80914?format=json","purl":"pkg:maven/org.apache.dubbo/dubbo@2.7.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ngc-j571-m3ck"},{"vulnerability":"VCID-ahzf-whmw-aue3"},{"vulnerability":"VCID-dj6s-gcjj-nuhr"},{"vulnerability":"VCID-f4ha-rjpx-yfgb"},{"vulnerability":"VCID-h5n6-nuyj-dkcc"},{"vulnerability":"VCID-m7ca-pdzs-2yfd"},{"vulnerability":"VCID-psmu-bqpc-tkah"},{"vulnerability":"VCID-q32t-bhzw-kygq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10"}],"aliases":["CVE-2021-32824","GHSA-fprr-rrm8-4534"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yj9m-e31v-bqcw"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10"}