CVE-2021-43297

Published: Jan 10, 2022

Modified: Aug 4, 2024

PUBLISHED

Description

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.

Vendor	Product	Versions
Apache Software Foundation	Apache Dubbo	affected `Apache Dubbo 2.6.x - < 2.6.12` affected `Apache Dubbo 2.7.x - < 2.7.15` affected `Apache Dubbo 3.0.x - < 3.0.5`

Weaknesses (CWE)

CWE-502

References

https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-43297

Description

Affected Products

Weaknesses (CWE)

References