VYPR
Critical severityNVD Advisory· Published Jan 10, 2022· Updated Aug 4, 2024

Dubbo Hessian cause RCE when parse error

CVE-2021-43297

Description

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.dubbo:dubboMaven
>= 2.6.0, < 2.6.122.6.12
org.apache.dubbo:dubboMaven
>= 2.7.0, < 2.7.152.7.15
org.apache.dubbo:dubboMaven
>= 3.0.0, < 3.0.53.0.5

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.