org.apache.dubbo:dubbo-rpc-api@2.7.7 vulnerabilities

latest version

3.2.11
latest non vulnerable version

3.3.0-beta.2
first published

5 years ago
latest version published

3 months ago
licenses detected
- Apache-2.0
  [2.7.0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.dubbo:dubbo-rpc-api package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Deserialization of Untrusted Data org.apache.dubbo:dubbo-rpc-api is a high-performance, java based, open source RPC framework. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. Each Apache Dubbo server will set a serialization ID to tell the clients which serialization protocol it is using. An attacker can choose which serialization ID the Provider will use by tampering with the byte preamble flags. This means that if a weak deserializer such as the Kryo and FST is within the code scope, a remote unauthenticated attacker can tell the Provider to use the weak deserializer and then proceed to exploit it. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.dubbo:dubbo-rpc-api` to version 2.7.9, 2.6.10 or higher.	[2.7.0,2.7.9) [2.5.0,2.6.10)
H Deserialization of Untrusted Data org.apache.dubbo:dubbo-rpc-api is a high-performance, java based, open source RPC framework. Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker can send RPC requests with unrecognized service name or method name along with malicious parameter payloads. When the malicious parameter is deserialized, it will execute malicious code. How to fix Deserialization of Untrusted Data? Upgrade `org.apache.dubbo:dubbo-rpc-api` to version 2.7.8 or higher.	[,2.7.8)

Deserialization of Untrusted Data

org.apache.dubbo:dubbo-rpc-api is a high-performance, java based, open source RPC framework.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. Each Apache Dubbo server will set a serialization ID to tell the clients which serialization protocol it is using. An attacker can choose which serialization ID the Provider will use by tampering with the byte preamble flags. This means that if a weak deserializer such as the Kryo and FST is within the code scope, a remote unauthenticated attacker can tell the Provider to use the weak deserializer and then proceed to exploit it.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.dubbo:dubbo-rpc-api to version 2.7.9, 2.6.10 or higher.

[2.7.0,2.7.9) [2.5.0,2.6.10)

Deserialization of Untrusted Data

org.apache.dubbo:dubbo-rpc-api is a high-performance, java based, open source RPC framework.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. An attacker can send RPC requests with unrecognized service name or method name along with malicious parameter payloads. When the malicious parameter is deserialized, it will execute malicious code.

How to fix Deserialization of Untrusted Data?

Upgrade org.apache.dubbo:dubbo-rpc-api to version 2.7.8 or higher.

[,2.7.8)

Go back to all versions of this package

org.apache.dubbo:dubbo-rpc-api@2.7.7 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities