Description
A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.
Analysis
No analysis available yet.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Apache Software Foundation | Apache Dubbo | affected |
|
Configuration 1 [-]
|
No data.
No data available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 Github GHSA |
GHSA-vp5x-3v8r-qprw | Deserialization of Untrusted Data in Dubbo |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: apache
Published:
Updated: 2024-08-04T03:55:28.375Z
Reserved: 2021-11-03T00:00:00.000Z
Link: CVE-2021-43297
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-01-10T16:15:09.527
Modified: 2024-11-21T06:29:01.710
Link: CVE-2021-43297
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses