Apache Dubbo

19 CVEs affecting Apache Dubbo. Latest disclosed: 2023-12-15. Critical: 15, High: 1.

Top CVEs affecting Apache Dubbo
CVESeverityScorePublishedSummary
CVE-2023-46279Critical9.82023-12-15Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5. Users are recommended to upgrade to the latest ver…
CVE-2023-29234Critical9.82023-12-15A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4. …
CVE-2021-32824Critical9.82023-01-03Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bea…
CVE-2022-39198Critical9.82022-10-18A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects…
CVE-2021-43297Critical9.82022-01-10A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users u…
CVE-2021-37579Critical9.82021-09-09The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there…
CVE-2021-36161Critical9.82021-09-09Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with spec…
CVE-2021-36163Critical9.82021-09-07In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directl…
CVE-2021-30181Critical9.82021-06-01Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by th…
CVE-2021-30180Critical9.82021-06-01Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers wh…
CVE-2021-30179Critical9.82021-06-01Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by t…
CVE-2021-25641Critical9.82021-06-01Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or…
CVE-2020-11995Critical9.82021-01-11A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as…
CVE-2020-1948Critical9.82020-07-14This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name a…
CVE-2019-17564Critical9.82020-04-01Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to com…
CVE-2021-36162High8.82021-09-07Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configurati…
CVE-2022-24969Medium6.12022-06-09bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can caus…
CVE-2021-25640Medium6.12021-06-01In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulner…
CVE-2023-23638Medium5.02023-03-08A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x versio…