Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/80922?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/80922?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.9", "type": "maven", "namespace": "org.apache.dubbo", "name": "dubbo", "version": "2.7.9", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.7.21", "latest_non_vulnerable_version": "3.2.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42739?format=api", "vulnerability_id": "VCID-9cck-3q13-1kej", "summary": "Deserialization of Untrusted Data\nApache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection API to make the final call.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-30179", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02183", "scoring_system": "epss", "scoring_elements": "0.84672", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02183", "scoring_system": "epss", "scoring_elements": "0.847", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.02183", "scoring_system": "epss", "scoring_elements": "0.84696", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-30179" }, { "reference_url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67@%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67@%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rccbcbdd6593e42ea3a1e8fedd12807cb111375c9c40edb005ef36f67%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30179", "reference_id": "CVE-2021-30179", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30179" }, { "reference_url": "https://github.com/advisories/GHSA-5mc7-m686-p6jg", "reference_id": "GHSA-5mc7-m686-p6jg", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5mc7-m686-p6jg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80914?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-dj6s-gcjj-nuhr" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" }, { "vulnerability": "VCID-h5n6-nuyj-dkcc" }, { "vulnerability": "VCID-m7ca-pdzs-2yfd" }, { "vulnerability": "VCID-psmu-bqpc-tkah" }, { "vulnerability": "VCID-q32t-bhzw-kygq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10" } ], "aliases": [ "CVE-2021-30179", "GHSA-5mc7-m686-p6jg" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9cck-3q13-1kej" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42021?format=api", "vulnerability_id": "VCID-9ngc-j571-m3ck", "summary": "Deserialization of Untrusted Data\nA deserialization vulnerability existed in dubbo hessian-lite and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43297", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.46296", "scoring_system": "epss", "scoring_elements": "0.97717", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.46296", "scoring_system": "epss", "scoring_elements": "0.97712", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.46296", "scoring_system": "epss", "scoring_elements": "0.97716", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-43297" }, { "reference_url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43297", "reference_id": "CVE-2021-43297", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43297" }, { "reference_url": "https://github.com/advisories/GHSA-vp5x-3v8r-qprw", "reference_id": "GHSA-vp5x-3v8r-qprw", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vp5x-3v8r-qprw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60096?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/60097?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.0.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.5" } ], "aliases": [ "CVE-2021-43297", "GHSA-vp5x-3v8r-qprw" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9ngc-j571-m3ck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/108845?format=api", "vulnerability_id": "VCID-ahzf-whmw-aue3", "summary": "Hessian Lite for Apache Dubbo deserialization vulnerability\nA deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39198", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.10341", "scoring_system": "epss", "scoring_elements": "0.93334", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.10341", "scoring_system": "epss", "scoring_elements": "0.93335", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.10341", "scoring_system": "epss", "scoring_elements": "0.93323", "published_at": "2026-06-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-39198" }, { "reference_url": "https://github.com/apache/dubbo-hessian-lite", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo-hessian-lite" }, { "reference_url": "https://github.com/apache/dubbo-hessian-lite/releases/tag/v3.2.13", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo-hessian-lite/releases/tag/v3.2.13" }, { "reference_url": "https://github.com/apache/dubbo/releases/tag/dubbo-2.7.18", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo/releases/tag/dubbo-2.7.18" }, { "reference_url": "https://github.com/apache/dubbo/releases/tag/dubbo-3.0.12", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo/releases/tag/dubbo-3.0.12" }, { "reference_url": "https://github.com/apache/dubbo/releases/tag/dubbo-3.1.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo/releases/tag/dubbo-3.1.1" }, { "reference_url": "https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-05-13T14:48:24Z/" } ], "url": "https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39198", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39198" }, { "reference_url": "https://github.com/advisories/GHSA-5qwq-g2hx-r6f7", "reference_id": "GHSA-5qwq-g2hx-r6f7", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5qwq-g2hx-r6f7" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/145003?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/145005?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/145008?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4cur-ezpv-k7fx" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.1.1" } ], "aliases": [ "CVE-2022-39198", "GHSA-5qwq-g2hx-r6f7" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ahzf-whmw-aue3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41430?format=api", "vulnerability_id": "VCID-dj6s-gcjj-nuhr", "summary": "Deserialization of Untrusted Data\nIn Apache Dubbo, users may choose to use the Hessian protocol.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36163", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0121", "scoring_system": "epss", "scoring_elements": "0.79314", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.0121", "scoring_system": "epss", "scoring_elements": "0.79345", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.0121", "scoring_system": "epss", "scoring_elements": "0.7934", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36163" }, { "reference_url": "https://github.com/apache/dubbo", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo" }, { "reference_url": "https://github.com/apache/dubbo/pull/8238", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo/pull/8238" }, { "reference_url": "https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo/releases/tag/dubbo-2.6.10.1" }, { "reference_url": "https://github.com/apache/dubbo/releases/tag/dubbo-2.7.13", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo/releases/tag/dubbo-2.7.13" }, { "reference_url": "https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36163", "reference_id": "CVE-2021-36163", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36163" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58930?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" }, { "vulnerability": "VCID-m7ca-pdzs-2yfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/58931?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2" } ], "aliases": [ "CVE-2021-36163", "GHSA-cpx9-4rwv-486v" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dj6s-gcjj-nuhr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42740?format=api", "vulnerability_id": "VCID-eznq-hze7-kqfg", "summary": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\nApache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these rules, Dubbo customers use ScriptEngine and run the rule provided by the script which by default may enable executing arbitrary code.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-30181", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03871", "scoring_system": "epss", "scoring_elements": "0.88462", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.03871", "scoring_system": "epss", "scoring_elements": "0.88442", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.03871", "scoring_system": "epss", "scoring_elements": "0.8846", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-30181" }, { "reference_url": "https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/re22410dc704a09bc7032ddf15140cf5e7df3e8ece390fc9032ff5587%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30181", "reference_id": "CVE-2021-30181", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30181" }, { "reference_url": "https://github.com/advisories/GHSA-qmfc-6www-fjqw", "reference_id": "GHSA-qmfc-6www-fjqw", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qmfc-6www-fjqw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80914?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-dj6s-gcjj-nuhr" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" }, { "vulnerability": "VCID-h5n6-nuyj-dkcc" }, { "vulnerability": "VCID-m7ca-pdzs-2yfd" }, { "vulnerability": "VCID-psmu-bqpc-tkah" }, { "vulnerability": "VCID-q32t-bhzw-kygq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10" } ], "aliases": [ "CVE-2021-30181", "GHSA-qmfc-6www-fjqw" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-eznq-hze7-kqfg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44630?format=api", "vulnerability_id": "VCID-f4ha-rjpx-yfgb", "summary": "Deserialization of Untrusted Data\nA deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-23638", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.50291", "scoring_system": "epss", "scoring_elements": "0.97892", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.50291", "scoring_system": "epss", "scoring_elements": "0.97887", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.50291", "scoring_system": "epss", "scoring_elements": "0.97891", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-23638" }, { "reference_url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-23T16:41:19Z/" } ], "url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23638", "reference_id": "CVE-2023-23638", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23638" }, { "reference_url": "https://github.com/advisories/GHSA-933g-v89r-x8pf", "reference_id": "GHSA-933g-v89r-x8pf", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-933g-v89r-x8pf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64254?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/137669?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.22", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/64255?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.0.13", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/64256?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.1.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3byz-42xs-3khg" }, { "vulnerability": "VCID-4cur-ezpv-k7fx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.1.5" } ], "aliases": [ "CVE-2023-23638", "GHSA-933g-v89r-x8pf" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f4ha-rjpx-yfgb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41449?format=api", "vulnerability_id": "VCID-h5n6-nuyj-dkcc", "summary": "Deserialization of Untrusted Data\nThe Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-37579", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02891", "scoring_system": "epss", "scoring_elements": "0.86582", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02891", "scoring_system": "epss", "scoring_elements": "0.86605", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-37579" }, { "reference_url": "https://github.com/apache/dubbo", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo" }, { "reference_url": "https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r898afa109cdbb4b79724308648ff0718152ebe1d3d6dfc7202d958bc%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37579", "reference_id": "CVE-2021-37579", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37579" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58930?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" }, { "vulnerability": "VCID-m7ca-pdzs-2yfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/58931?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2" } ], "aliases": [ "CVE-2021-37579", "GHSA-q897-9jxf-jg9r" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h5n6-nuyj-dkcc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110635?format=api", "vulnerability_id": "VCID-m7ca-pdzs-2yfd", "summary": "Server-side request forgery in Apache Dubbo\nbypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24969", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02387", "scoring_system": "epss", "scoring_elements": "0.85299", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02387", "scoring_system": "epss", "scoring_elements": "0.85328", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.02387", "scoring_system": "epss", "scoring_elements": "0.85322", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24969" }, { "reference_url": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread/1xbckc3467wfk5r7n2o44r2brdsbwxgr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24969", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24969" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25640", "reference_id": "CVE-2021-25640", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25640" }, { "reference_url": "https://github.com/advisories/GHSA-gm48-83x4-84jg", "reference_id": "GHSA-gm48-83x4-84jg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gm48-83x4-84jg" }, { "reference_url": "https://github.com/advisories/GHSA-gw4j-4229-q4px", "reference_id": "GHSA-gw4j-4229-q4px", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gw4j-4229-q4px" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60096?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.15" } ], "aliases": [ "CVE-2022-24969", "GHSA-gm48-83x4-84jg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m7ca-pdzs-2yfd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54557?format=api", "vulnerability_id": "VCID-pjyr-9fcr-qbcr", "summary": "Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling)\nApache Dubbo support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML rules, Dubbo customers may enable calling arbitrary constructors.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-30180", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.04398", "scoring_system": "epss", "scoring_elements": "0.89204", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.04398", "scoring_system": "epss", "scoring_elements": "0.89186", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.04398", "scoring_system": "epss", "scoring_elements": "0.89202", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-30180" }, { "reference_url": "https://lists.apache.org/thread.html/raed526465e56204030ddf374b1959478a290e7511971d7aba2e9e39b%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/raed526465e56204030ddf374b1959478a290e7511971d7aba2e9e39b%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30180", "reference_id": "CVE-2021-30180", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-30180" }, { "reference_url": "https://github.com/advisories/GHSA-7wfc-x4f7-gg2x", "reference_id": "GHSA-7wfc-x4f7-gg2x", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7wfc-x4f7-gg2x" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80914?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-dj6s-gcjj-nuhr" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" }, { "vulnerability": "VCID-h5n6-nuyj-dkcc" }, { "vulnerability": "VCID-m7ca-pdzs-2yfd" }, { "vulnerability": "VCID-psmu-bqpc-tkah" }, { "vulnerability": "VCID-q32t-bhzw-kygq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10" } ], "aliases": [ "CVE-2021-30180", "GHSA-7wfc-x4f7-gg2x" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pjyr-9fcr-qbcr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41450?format=api", "vulnerability_id": "VCID-psmu-bqpc-tkah", "summary": "Use of Externally-Controlled Format String\nA component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special `toString` method.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36161", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02734", "scoring_system": "epss", "scoring_elements": "0.86238", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.02734", "scoring_system": "epss", "scoring_elements": "0.86261", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.02734", "scoring_system": "epss", "scoring_elements": "0.8626", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36161" }, { "reference_url": "https://github.com/apache/dubbo", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo" }, { "reference_url": "https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/r40212261fd5d638074b65f22ac73eebe93ace310c79d4cfcca4863da%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36161", "reference_id": "CVE-2021-36161", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36161" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58930?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" }, { "vulnerability": "VCID-m7ca-pdzs-2yfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13" } ], "aliases": [ "CVE-2021-36161", "GHSA-qvm7-23cj-437v" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-psmu-bqpc-tkah" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/41433?format=api", "vulnerability_id": "VCID-q32t-bhzw-kygq", "summary": "Code Injection\nApache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). An attacker with access to the configuration center he will be able to poison the rule so when retrieved by the consumers, it will get RCE on all of them.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36162", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77469", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77505", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.01012", "scoring_system": "epss", "scoring_elements": "0.77496", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-36162" }, { "reference_url": "https://github.com/apache/dubbo", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo" }, { "reference_url": "https://lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/rfa351115a459e214b99ffcc52c35f33359f3370c547d9c6ba1a60037%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36162", "reference_id": "CVE-2021-36162", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36162" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58930?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" }, { "vulnerability": "VCID-m7ca-pdzs-2yfd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/58931?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@3.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@3.0.2" } ], "aliases": [ "CVE-2021-36162", "GHSA-r577-4hq7-73qh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q32t-bhzw-kygq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/106085?format=api", "vulnerability_id": "VCID-yj9m-e31v-bqcw", "summary": "Apache Dubbo vulnerable to remote code execution via Telnet Handler\nApache Dubbo is a Java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-authorization remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. \n\nAdditionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. \n\nVersions 2.6.10 and 2.7.10 contain fixes for this issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32824", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05859", "scoring_system": "epss", "scoring_elements": "0.90725", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.05859", "scoring_system": "epss", "scoring_elements": "0.90737", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32824" }, { "reference_url": "https://github.com/apache/dubbo", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/apache/dubbo" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32824", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32824" }, { "reference_url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo" }, { "reference_url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-10T21:02:39Z/" } ], "url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/" }, { "reference_url": "https://github.com/advisories/GHSA-fprr-rrm8-4534", "reference_id": "GHSA-fprr-rrm8-4534", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fprr-rrm8-4534" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80914?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-dj6s-gcjj-nuhr" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" }, { "vulnerability": "VCID-h5n6-nuyj-dkcc" }, { "vulnerability": "VCID-m7ca-pdzs-2yfd" }, { "vulnerability": "VCID-psmu-bqpc-tkah" }, { "vulnerability": "VCID-q32t-bhzw-kygq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10" } ], "aliases": [ "CVE-2021-32824", "GHSA-fprr-rrm8-4534" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yj9m-e31v-bqcw" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/42750?format=api", "vulnerability_id": "VCID-2989-2ec6-jybq", "summary": "Server-Side Request Forgery (SSRF)\nIn Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-25640", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72483", "published_at": "2026-06-04T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72532", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00705", "scoring_system": "epss", "scoring_elements": "0.72525", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-25640" }, { "reference_url": "https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77@%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77@%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.apache.org/thread.html/re4cab8855361a454d2af106fb3dad76259e723015fd7e09cb4f9eb77%40%3Cdev.dubbo.apache.org%3E" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25640", "reference_id": "CVE-2021-25640", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25640" }, { "reference_url": "https://github.com/advisories/GHSA-gw4j-4229-q4px", "reference_id": "GHSA-gw4j-4229-q4px", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gw4j-4229-q4px" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/80921?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.6.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.6.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/80922?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9cck-3q13-1kej" }, { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-dj6s-gcjj-nuhr" }, { "vulnerability": "VCID-eznq-hze7-kqfg" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" }, { "vulnerability": "VCID-h5n6-nuyj-dkcc" }, { "vulnerability": "VCID-m7ca-pdzs-2yfd" }, { "vulnerability": "VCID-pjyr-9fcr-qbcr" }, { "vulnerability": "VCID-psmu-bqpc-tkah" }, { "vulnerability": "VCID-q32t-bhzw-kygq" }, { "vulnerability": "VCID-yj9m-e31v-bqcw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/80914?format=api", "purl": "pkg:maven/org.apache.dubbo/dubbo@2.7.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9ngc-j571-m3ck" }, { "vulnerability": "VCID-ahzf-whmw-aue3" }, { "vulnerability": "VCID-dj6s-gcjj-nuhr" }, { "vulnerability": "VCID-f4ha-rjpx-yfgb" }, { "vulnerability": "VCID-h5n6-nuyj-dkcc" }, { "vulnerability": "VCID-m7ca-pdzs-2yfd" }, { "vulnerability": "VCID-psmu-bqpc-tkah" }, { "vulnerability": "VCID-q32t-bhzw-kygq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.10" } ], "aliases": [ "CVE-2021-25640", "GHSA-gw4j-4229-q4px" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2989-2ec6-jybq" } ], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.dubbo/dubbo@2.7.9" }