CVE-2023-23638 - Vulnerability Details - OpenCVE

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution.

This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.65584.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Apache	Dubbo

Configuration 1 [-]

OR	cpe:2.3:a:apache:dubbo::::::::
	cpe:2.3:a:apache:dubbo::::::::
	cpe:2.3:a:apache:dubbo::::::::

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-933g-v89r-x8pf	Apache Dubbo vulnerable to Deserialization of Untrusted Data

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.65155}`	epss `{'score': 0.65594}`

Wed, 23 Oct 2024 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-03-08T10:48:58.574Z

Updated: 2024-10-23T16:41:29.622Z

Reserved: 2023-01-17T04:09:09.075Z

Link: CVE-2023-23638

Vulnrichment

Updated: 2024-08-02T10:35:33.761Z

NVD

Status : Modified

Published: 2023-03-08T11:15:10.390

Modified: 2024-11-21T07:46:35.343

Link: CVE-2023-23638

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-23638", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-01-17T04:09:09.075Z", "datePublished": "2023-03-08T10:48:58.574Z", "dateUpdated": "2024-10-23T16:41:29.622Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Dubbo", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.7.21", "status": "affected", "version": "Apache Dubbo 2.7.x", "versionType": "maven"}, {"lessThanOrEqual": "3.0.13", "status": "affected", "version": "Apache Dubbo 3.0.x", "versionType": "maven"}, {"lessThanOrEqual": "3.1.5", "status": "affected", "version": "Apache Dubbo 3.1.x", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "yemoli\u3001R1ckyZ\u3001Koishi\u3001cxc"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. <br><br>This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. "}], "value": "A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. \n\nThis issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. "}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-03-08T10:48:58.574Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Dubbo Deserialization Vulnerability Gadgets Bypass", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.761Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-23T16:41:19.165832Z", "id": "CVE-2023-23638", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T16:41:29.622Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.761Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-23638", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-23T16:41:19.165832Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-23T16:41:24.759Z"}}], "cna": {"title": "Apache Dubbo Deserialization Vulnerability Gadgets Bypass", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "yemoli\u3001R1ckyZ\u3001Koishi\u3001cxc"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Dubbo", "versions": [{"status": "affected", "version": "Apache Dubbo 2.7.x", "versionType": "maven", "lessThanOrEqual": "2.7.21"}, {"status": "affected", "version": "Apache Dubbo 3.0.x", "versionType": "maven", "lessThanOrEqual": "3.0.13"}, {"status": "affected", "version": "Apache Dubbo 3.1.x", "versionType": "maven", "lessThanOrEqual": "3.1.5"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. \n\nThis issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. ", "supportingMedia": [{"type": "text/html", "value": "A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. <br><br>This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-03-08T10:48:58.574Z"}}}, "cveMetadata": {"cveId": "CVE-2023-23638", "state": "PUBLISHED", "dateUpdated": "2024-10-23T16:41:29.622Z", "dateReserved": "2023-01-17T04:09:09.075Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2023-03-08T10:48:58.574Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "A275DC61-7FD6-4908-8213-2925FCA7ACDD", "versionEndIncluding": "2.7.21", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "630DC28C-2AD7-4730-83F3-048D7B75F847", "versionEndIncluding": "3.0.13", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F75BA1E-C9C7-4462-A4FE-A6C5F8128796", "versionEndIncluding": "3.1.5", "versionStartIncluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. \n\nThis issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. "}], "id": "CVE-2023-23638", "lastModified": "2024-11-21T07:46:35.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "security@apache.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-08T11:15:10.390", "references": [{"source": "security@apache.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}