What is CVE-2023-29234?

CVE-2023-29234 is a vulnerability in Apache Software Foundation Dubbo, classified under Deserialization of Untrusted Data. Published 2023-12-15.

Is CVE-2023-29234 known to be exploited?

27 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Apache Software Foundation Dubbo

CVE-2023-29234

A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4. Users are recommended to upgrade to the latest version, which fixes the issue.

Vulnerability class: Insecure Deserialization

EPSS: 0.890 (99.5th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Dubbo — versions 3.1.0, 3.2.0

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

References

lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94rllx8f77 (vendor-advisory)
www.openwall.com/lists/oss-security/2023/12/15/2

Frequently asked questions

What is CVE-2023-29234?: CVE-2023-29234 is a vulnerability in Apache Software Foundation Dubbo, classified under Deserialization of Untrusted Data. Published 2023-12-15.
Is CVE-2023-29234 known to be exploited?: 27 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.