org.apache.dubbo:dubbo-rpc-api@2.7.5 vulnerabilities
-
latest version
3.2.11
-
latest non vulnerable version
-
first published
5 years ago
-
latest version published
3 months ago
-
licenses detected
- [2.7.0,)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.apache.dubbo:dubbo-rpc-api package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
org.apache.dubbo:dubbo-rpc-api is a high-performance, java based, open source RPC framework. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. Each Apache Dubbo server will set a serialization ID to tell the clients which serialization protocol it is using. An attacker can choose which serialization ID the Provider will use by tampering with the byte preamble flags. This means that if a weak deserializer such as the Kryo and FST is within the code scope, a remote unauthenticated attacker can tell the Provider to use the weak deserializer and then proceed to exploit it. How to fix Deserialization of Untrusted Data? Upgrade |
[2.7.0,2.7.9)
[2.5.0,2.6.10)
|
org.apache.dubbo:dubbo-rpc-api is a high-performance, java based, open source RPC framework. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker can send RPC requests with unrecognized service name or method name along with malicious parameter payloads. When the malicious parameter is deserialized, it will execute malicious code. How to fix Deserialization of Untrusted Data? Upgrade |
[,2.7.8)
|