CVE-2021-43297 is a vulnerability in Apache Dubbo
Published on January 10, 2022
Dubbo Hessian cause RCE when parse error
A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2021-43297 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2021-43297
Want to know whenever a new CVE is published for Apache Dubbo? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Dubbo:- Version Apache Dubbo 2.6.x and below 2.6.12 is affected.
- Version Apache Dubbo 2.7.x and below 2.7.15 is affected.
- Version Apache Dubbo 3.0.x and below 3.0.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.