Apache Dubbo
19 CVEs affecting Apache Dubbo. Latest disclosed: 2023-12-15. Critical: 15, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-46279 | Critical | 9.8 | 2023-12-15 | Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5. Users are recommended to upgrade to the latest ver… |
CVE-2023-29234 | Critical | 9.8 | 2023-12-15 | A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4. … |
CVE-2021-32824 | Critical | 9.8 | 2023-01-03 | Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bea… |
CVE-2022-39198 | Critical | 9.8 | 2022-10-18 | A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects… |
CVE-2021-43297 | Critical | 9.8 | 2022-01-10 | A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users u… |
CVE-2021-37579 | Critical | 9.8 | 2021-09-09 | The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there… |
CVE-2021-36161 | Critical | 9.8 | 2021-09-09 | Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with spec… |
CVE-2021-36163 | Critical | 9.8 | 2021-09-07 | In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directl… |
CVE-2021-30181 | Critical | 9.8 | 2021-06-01 | Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by th… |
CVE-2021-30180 | Critical | 9.8 | 2021-06-01 | Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers wh… |
CVE-2021-30179 | Critical | 9.8 | 2021-06-01 | Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by t… |
CVE-2021-25641 | Critical | 9.8 | 2021-06-01 | Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or… |
CVE-2020-11995 | Critical | 9.8 | 2021-01-11 | A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as… |
CVE-2020-1948 | Critical | 9.8 | 2020-07-14 | This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name a… |
CVE-2019-17564 | Critical | 9.8 | 2020-04-01 | Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to com… |
CVE-2021-36162 | High | 8.8 | 2021-09-07 | Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configurati… |
CVE-2022-24969 | Medium | 6.1 | 2022-06-09 | bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can caus… |
CVE-2021-25640 | Medium | 6.1 | 2021-06-01 | In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulner… |
CVE-2023-23638 | Medium | 5.0 | 2023-03-08 | A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x versio… |