CVE-2023-23638 - OpenCVE

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Dubbo

Configuration 1 [-]

OR	cpe:2.3:a:apache:dubbo::::::::
	cpe:2.3:a:apache:dubbo::::::::
	cpe:2.3:a:apache:dubbo::::::::

No data.

References

Link	Providers
https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-03-08T10:48:58.574Z

Updated: 2024-08-02T10:35:33.761Z

Reserved: 2023-01-17T04:09:09.075Z

Link: CVE-2023-23638

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-03-08T11:15:10.390

Modified: 2023-11-07T04:07:50.990

Link: CVE-2023-23638

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-23638", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-01-17T04:09:09.075Z", "datePublished": "2023-03-08T10:48:58.574Z", "dateUpdated": "2024-08-02T10:35:33.761Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Dubbo", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.7.21", "status": "affected", "version": "Apache Dubbo 2.7.x", "versionType": "maven"}, {"lessThanOrEqual": "3.0.13", "status": "affected", "version": "Apache Dubbo 3.0.x", "versionType": "maven"}, {"lessThanOrEqual": "3.1.5", "status": "affected", "version": "Apache Dubbo 3.1.x", "versionType": "maven"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "yemoli\u3001R1ckyZ\u3001Koishi\u3001cxc"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. <br><br>This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. "}], "value": "A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. \n\nThis issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. "}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-03-08T10:48:58.574Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Dubbo Deserialization Vulnerability Gadgets Bypass", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:35:33.761Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "A275DC61-7FD6-4908-8213-2925FCA7ACDD", "versionEndIncluding": "2.7.21", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "630DC28C-2AD7-4730-83F3-048D7B75F847", "versionEndIncluding": "3.0.13", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F75BA1E-C9C7-4462-A4FE-A6C5F8128796", "versionEndIncluding": "3.1.5", "versionStartIncluding": "3.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. \n\nThis issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. "}], "id": "CVE-2023-23638", "lastModified": "2023-11-07T04:07:50.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "security@apache.org", "type": "Secondary"}]}, "published": "2023-03-08T11:15:10.390", "references": [{"source": "security@apache.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Primary"}]}