CVE-2020-1948 – org.apache.dubbo:dubbo-common

Package

Manager: maven
Name: org.apache.dubbo:dubbo-common
Vulnerable Version: >=0 <2.7.7

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.67997 pctl0.98537

Details

Deserialization of Untrusted Data in Apache Dubbo This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.

Metadata

Created: 2022-02-10T22:39:17Z
Modified: 2021-05-10T21:50:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-whww-v56c-cgv2/GHSA-whww-v56c-cgv2.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-whww-v56c-cgv2
Finding: F096
Auto approve: 1