CVE-2021-36163 is a vulnerability in Apache Dubbo
Published on September 7, 2021
Unsafe deserialization in providers using the Hessian protocol
In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1
Products Associated with CVE-2021-36163
Want to know whenever a new CVE is published for Apache Dubbo? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Dubbo:- Version Apache Dubbo 2.7.x, <= 2.7.12 is affected.
- Version Apache Dubbo 2.6.x, <= 2.6.10 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.