Critical severityNVD Advisory· Published Mar 8, 2023· Updated Oct 23, 2024
Apache Dubbo Deserialization Vulnerability Gadgets Bypass
CVE-2023-23638
Description
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution.
This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.dubbo:dubboMaven | < 2.7.22 | 2.7.22 |
org.apache.dubbo:dubboMaven | >= 3.0.0, < 3.0.13 | 3.0.13 |
org.apache.dubbo:dubboMaven | >= 3.1.0, < 3.1.5 | 3.1.5 |
Affected products
2- Apache Software Foundation/Apache Dubbov5Range: Apache Dubbo 2.7.x
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-933g-v89r-x8pfghsaADVISORY
- lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cbghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-23638ghsaADVISORY
News mentions
0No linked articles in our index yet.