CVE-2023-23638

Deserialization of Untrusted Data in maven/org.apache.dubbo/dubbo

Identifiers

CVE-2023-23638, GHSA-933g-v89r-x8pf

Package Slug

maven/org.apache.dubbo/dubbo

Vulnerability

Deserialization of Untrusted Data

Description

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.

Affected Versions

All versions before 2.7.21, all versions starting from 3.0.0 before 3.0.13, all versions starting from 3.1.0 before 3.1.5

Solution

Upgrade to versions 2.7.21, 3.0.13, 3.1.5 or above.

Last Modified

2023-03-09

source