CVE-2021-43297 - Vulnerability Details - OpenCVE

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.4684.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Dubbo

Configuration 1 [-]

OR	cpe:2.3:a:apache:dubbo::::::::
	cpe:2.3:a:apache:dubbo::::::::
	cpe:2.3:a:apache:dubbo::::::::

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-vp5x-3v8r-qprw	Deserialization of Untrusted Data in Dubbo

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-01-10T15:25:48

Updated: 2024-08-04T03:55:28.375Z

Reserved: 2021-11-03T00:00:00

Link: CVE-2021-43297

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-01-10T16:15:09.527

Modified: 2024-11-21T06:29:01.710

Link: CVE-2021-43297

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Apache Dubbo", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.6.12", "status": "affected", "version": "Apache Dubbo 2.6.x", "versionType": "custom"}, {"lessThan": "2.7.15", "status": "affected", "version": "Apache Dubbo 2.7.x", "versionType": "custom"}, {"lessThan": "3.0.5", "status": "affected", "version": "Apache Dubbo 3.0.x", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "There are differences in the use of entrances. The following people or organizations reported security vulnerabilities independently. Sort by discovery time: 1. cxc&yhbl&wh1t3p1g&fynch3r from G5-RD6@IIE 2. yxxx"}], "descriptions": [{"lang": "en", "value": "A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5."}], "metrics": [{"other": {"content": {"other": "high"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-10T15:25:48", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"}], "source": {"discovery": "UNKNOWN"}, "title": "Dubbo Hessian cause RCE when parse error", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-43297", "STATE": "PUBLIC", "TITLE": "Dubbo Hessian cause RCE when parse error"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Dubbo", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache Dubbo 2.6.x", "version_value": "2.6.12"}, {"version_affected": "<", "version_name": "Apache Dubbo 2.7.x", "version_value": "2.7.15"}, {"version_affected": "<", "version_name": "Apache Dubbo 3.0.x", "version_value": "3.0.5"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "There are differences in the use of entrances. The following people or organizations reported security vulnerabilities independently. Sort by discovery time: 1. cxc&yhbl&wh1t3p1g&fynch3r from G5-RD6@IIE 2. yxxx"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "high"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww", "refsource": "MISC", "url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:55:28.375Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-43297", "datePublished": "2022-01-10T15:25:48", "dateReserved": "2021-11-03T00:00:00", "dateUpdated": "2024-08-04T03:55:28.375Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C18088F-7CD5-4E22-9749-F4B703347A68", "versionEndExcluding": "2.6.12", "versionStartIncluding": "2.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2FBCC30-3E2F-4826-9E57-D01F158B4184", "versionEndExcluding": "2.7.15", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "DCE9F3A7-DA3B-40DA-B048-68D52395DE2B", "versionEndExcluding": "3.0.5", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de deserializaci\u00f3n en Dubbo Hessian-lite versiones 3.2.11 y sus versiones anteriores, que podr\u00eda conllevar a una ejecuci\u00f3n de c\u00f3digo malicioso. La mayor\u00eda de usuarios de Dubbo usan Hessian2 como el protocolo de serializaci\u00f3n/deserializaci\u00f3n por defecto, durante la captura de excepciones no esperadas de Hessian, Hessian sacar\u00e1 alguna informaci\u00f3n para usuarios, lo que puede causar una ejecuci\u00f3n de comandos remotos. Este problema afecta a Apache Dubbo versiones 2.6.x anteriores a 2.6.12; Apache Dubbo versiones 2.7.x anteriores a 2.7.15; Apache Dubbo versiones 3.0.x anteriores a 3.0.5"}], "id": "CVE-2021-43297", "lastModified": "2024-11-21T06:29:01.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-10T16:15:09.527", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}