CVE-2020-11995 – org.apache.dubbo:dubbo-parent

Package

Manager: maven
Name: org.apache.dubbo:dubbo-parent
Vulnerable Version: >=2.7.0 <2.7.8 || >=0 <2.6.9

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01417 pctl0.79831

Details

Deserialization exploitation in Apache Dubbo A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HashMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo 2.6.9 and 2.7.8.

Metadata

Created: 2022-02-09T22:27:01Z
Modified: 2021-04-06T22:54:20Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-74mg-6xqx-2vrq/GHSA-74mg-6xqx-2vrq.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-74mg-6xqx-2vrq
Finding: F096
Auto approve: 1