CVE-2023-29234 - Vulnerability Details - OpenCVE

A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4.

Users are recommended to upgrade to the latest version, which fixes the issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.87821.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Dubbo

Configuration 1 [-]

OR	cpe:2.3:a:apache:dubbo::::::::
	cpe:2.3:a:apache:dubbo::::::::

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-6x49-w35h-wqrj	Bypass serialize checks in Apache Dubbo

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2023/12/15/2
https://lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94rllx8f77

History

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.87821}`	epss `{'score': 0.87624}`

Thu, 13 Feb 2025 17:00:00 +0000

Type	Values Removed	Values Added
Description	A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4. Users are recommended to upgrade to the latest version, which fixes the issue.	A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4. Users are recommended to upgrade to the latest version, which fixes the issue.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2023-12-15T08:14:47.561Z

Updated: 2025-02-13T16:49:03.349Z

Reserved: 2023-04-04T09:31:05.236Z

Link: CVE-2023-29234

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-15T09:15:07.380

Modified: 2025-02-13T17:16:18.023

Link: CVE-2023-29234

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-29234", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-04-04T09:31:05.236Z", "datePublished": "2023-12-15T08:14:47.561Z", "dateUpdated": "2025-02-13T16:49:03.349Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Dubbo", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "3.1.10", "status": "affected", "version": "3.1.0", "versionType": "semver"}, {"lessThanOrEqual": "3.2.4", "status": "affected", "version": "3.2.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bofei Chen, Lei Zhang, Guangliang Yang, Keke Lian and Xinyou Huang"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A deserialization vulnerability existed when decode a malicious package.<p>This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4.</p><p>Users are recommended to upgrade to the latest version, which fixes the issue.</p>"}], "value": "A deserialization vulnerability existed when decode a\u00a0malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4.\n\nUsers are recommended to upgrade to the latest version, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-12-15T08:15:07.526Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94rllx8f77"}, {"url": "http://www.openwall.com/lists/oss-security/2023/12/15/2"}], "source": {"discovery": "UNKNOWN"}, "title": "Bypass serialize checks in Apache Dubbo", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:00:15.993Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94rllx8f77"}, {"url": "http://www.openwall.com/lists/oss-security/2023/12/15/2", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "90144295-4896-4CC2-B290-39F6830432D0", "versionEndIncluding": "3.1.10", "versionStartIncluding": "3.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "matchCriteriaId": "9EC0F851-B214-47EE-BCE0-20CC670C0F8C", "versionEndIncluding": "3.2.4", "versionStartIncluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A deserialization vulnerability existed when decode a\u00a0malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4.\n\nUsers are recommended to upgrade to the latest version, which fixes the issue."}, {"lang": "es", "value": "Exist\u00eda una vulnerabilidad de deserializaci\u00f3n al decodificar un paquete malicioso. Este problema afecta a Apache Dubbo: desde 3.1.0 hasta 3.1.10, desde 3.2.0 hasta 3.2.4. Se recomienda a los usuarios que actualicen a la \u00faltima versi\u00f3n, lo que soluciona el problema."}], "id": "CVE-2023-29234", "lastModified": "2025-02-13T17:16:18.023", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-15T09:15:07.380", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/12/15/2"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94rllx8f77"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/12/15/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/wb2df2whkdnbgp54nnqn0m94rllx8f77"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}