org.apache.dubbo:dubbo-common@2.7.5 vulnerabilities

org.apache.dubbo:dubbo-common is a high-performance, java based, open source RPC framework.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper sanitization when Dubbo generic invoked.

Upgrade org.apache.dubbo:dubbo-common to version 2.7.22, 3.0.14, 3.1.6 or higher.

org.apache.dubbo:dubbo-common is a high-performance, java based, open source RPC framework.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via arbitrary bean manipulation in the Telnet handler. This endpoint is unprotected and can be accessed via the Dubbo main service port to collect information, execute methods exposed by the service, and shut down the application. A provider method can be invoked using the invoke handler, which later uses PojoUtils.realize which can be used to instantiate arbitrary classes and invoke its setters.

Upgrade org.apache.dubbo:dubbo-common to version 2.7.10 or higher.

org.apache.dubbo:dubbo-common is a high-performance, java based, open source RPC framework.

Affected versions of this package are vulnerable to Open Redirect due to the usage of parseURL method which can lead to a bypass of the white host check. This is a bypass of CVE-2021-25640 .

Upgrade org.apache.dubbo:dubbo-common to version 2.6.12, 2.7.15 or higher.

org.apache.dubbo:dubbo-common is a high-performance, java based, open source RPC framework.

Affected versions of this package are vulnerable to NULL Pointer Dereference. When the parseURL()/parseURLs() functions receive an empty address as an argument, or getDefaultExtension() return a null valued defaultextension, a null pointer dereference might occur leading to a potential crash.

Upgrade org.apache.dubbo:dubbo-common to version 2.7.15, 3.0.2 or higher.

org.apache.dubbo:dubbo-common is a high-performance, java based, open source RPC framework.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). Some components in Dubbo will try to print the formatted string of the input arguments, which will possibly cause RCE for a maliciously customized bean with a special toString method.

Upgrade org.apache.dubbo:dubbo-common to version 2.7.13 or higher.

org.apache.dubbo:dubbo-common is a high-performance, java based, open source RPC framework.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. The Dubbo Provider will check that the incoming request and the corresponding serialization type of the request meet the configuration set by the server. However, there is an exception that the attacker can use to skip the security check (when enabled) and reach a deserialization operation with native Java serialization.

Upgrade org.apache.dubbo:dubbo-common to version 2.7.13, 3.0.2 or higher.

org.apache.dubbo:dubbo-common is a high-performance, java based, open source RPC framework.

Affected versions of this package are vulnerable to Open Redirect. The usage of parseURL method will lead to the bypass of white host check which can cause open redirect or SSRF vulnerability.

Upgrade org.apache.dubbo:dubbo-common to version 2.7.10, 2.6.10 or higher.

org.apache.dubbo:dubbo-common is a high-performance, java based, open source RPC framework.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker can send RPC requests with unrecognized service name or method name along with malicious parameter payloads. When the malicious parameter is deserialized, it will execute malicious code.

Upgrade org.apache.dubbo:dubbo-common to version 2.7.8 or higher.