org.apache.dubbo:dubbo
Maven16 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.apache.dubbo:dubbopage 1 of 1
- CVE-2020-1948CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.72020-07-14
vulnerable: 2.7.0 ... 2.7.6 (8 versions)
This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is des…
- CVE-2021-25640MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.7.102021-06-01
vulnerable: 2.7.0 ... 2.7.9 (11 versions)
In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.
- CVE-2021-25641CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.82021-06-01
vulnerable: 2.7.0 ... 2.7.7 (9 versions)
Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by ta…
- CVE-2021-30179CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.102021-06-01
vulnerable: 2.7.0 ... 2.7.9 (11 versions)
Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first a…
- CVE-2021-30180CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.102021-06-01
vulnerable: 2.7.0 ... 2.7.9 (11 versions)
Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When parsing these YAML…
- CVE-2021-30181CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.102021-06-01
vulnerable: 2.7.0 ... 2.7.9 (11 versions)
Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These rules are used by the customers when making a request in order to find the right endpoint. When pars…
- CVE-2021-36161CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.132021-09-09
vulnerable: 2.7.0 ... 2.7.9 (14 versions)
Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously customized bean with special toString method. In the latest version, we fix the toString call in timeout,…
- CVE-2021-36162HIGHCVSS 8.8EG 8.8✓ Fixed in 3.0.22021-09-07
vulnerable: 3.0.0, 3.0.0.preview, 3.0.1
Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded into the configuration center (eg: Zookeeper, Nacos, ...) and retrieved by the customers when making…
- CVE-2021-36163CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.6.10.12021-09-07
In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuratio…
- CVE-2021-37579CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.0.22021-09-09
vulnerable: 3.0.0, 3.0.0.preview, 3.0.1
The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabl…
- CVE-2021-43297CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.0.52022-01-10
vulnerable: 3.0.0 ... 3.0.4 (7 versions)
A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessia…
- CVE-2022-24969MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.7.152022-06-09
vulnerable: 2.7.0 ... 2.7.9 (16 versions)
bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host check which can cause open redirect or SSRF vulnerability.
- CVE-2022-39198CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.12022-10-18
vulnerable: 3.1.0
A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x versio…
- CVE-2023-23638MEDIUMCVSS 5.0EG 5.0✓ Fixed in 3.1.52023-03-08
vulnerable: 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior version…
- CVE-2023-29234CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.2.52023-12-15
vulnerable: 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4
A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from 3.2.0 through 3.2.4. Users are recommended to upgrade to the latest version, which fixes the issue.
- CVE-2023-46279CRITICALCVSS 9.8EG 9.8✓ Fixed in 3.1.62023-12-15
vulnerable: 3.1.5
Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5. Users are recommended to upgrade to the latest version, which fixes the issue.
Check whether org.apache.dubbo:dubbo is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.dubbo:dubbo CVEs against the assets you own.
Start Free Scan →