Critical severityNVD Advisory· Published Sep 9, 2021· Updated Aug 4, 2024
Bypass deserialization checks in Apache Dubbo
CVE-2021-37579
Description
The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dubbo:dubboMaven | < 2.7.13 | 2.7.13 |
org.apache.dubbo:dubboMaven | >= 3.0.0, < 3.0.2 | 3.0.2 |
Affected products
2- Apache Software Foundation/Apache Dubbov5Range: Apache Dubbo 2.7.x
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.