PT-2023-7948 · Apache · Apache Dubbo

Bofei Chen

Publicado

2023-12-15

Atualizado

2023-12-21

CVE-2023-29234

CVSS v3.1

Crítica

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache Dubbo versions 3.1.0 through 3.1.10 Apache Dubbo versions 3.2.0 through 3.2.4

Description A deserialization vulnerability exists when decoding a malicious package, which can allow a remote attacker to execute arbitrary code or cause a denial of service. The issue is related to shortcomings in the deserialization mechanism of the Apache Dubbo RPC framework.

Recommendations For Apache Dubbo versions 3.1.0 through 3.1.10, upgrade to the latest version to fix the issue. For Apache Dubbo versions 3.2.0 through 3.2.4, upgrade to the latest version to fix the issue. As a temporary workaround, consider restricting the decoding of packages to minimize the risk of exploitation.

Correção

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502

Identificadores relacionados

BDU:2023-09032

CVE-2023-29234

GHSA-6X49-W35H-WQRJ

Produtos afetados

Apache Dubbo

PT-2023-7948 · Apache · Apache Dubbo

CVE-2023-29234

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 15