Headline
GHSA-933g-v89r-x8pf: Apache Dubbo vulnerable to Deserialization of Untrusted Data
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-23638
Apache Dubbo vulnerable to Deserialization of Untrusted Data
Moderate severity GitHub Reviewed Published Mar 8, 2023 to the GitHub Advisory Database • Updated Mar 8, 2023
Package
maven org.apache.dubbo:dubbo (Maven)
Affected versions
< 2.7.21
>= 3.0.0, < 3.0.13
>= 3.1.0, < 3.1.5
Patched versions
2.7.21
3.0.13
3.1.5
Published by the National Vulnerability Database
Mar 8, 2023
Published to the GitHub Advisory Database
Mar 8, 2023
Related news
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.