oss-sec mailing list archives

CVE-2023-23638: Apache Dubbo Deserialization Vulnerability Gadgets Bypass

From: Albumen Kevin <albumenj () apache org>
Date: Wed, 08 Mar 2023 08:46:26 +0000

Description:

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. 

This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior 
versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.

Credit:

yemoli、R1ckyZ、Koishi、cxc (reporter)

References:

https://dubbo.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-23638

Current thread:

CVE-2023-23638: Apache Dubbo Deserialization Vulnerability Gadgets Bypass Albumen Kevin (Mar 08)