CVE-2021-43297 Information

Description

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol during Hessian catch unexpected exceptions Hessian will log out some imformation for users which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://lists.apache.org/thread/1mszxrvp90y01xob56yp002939c7hlww

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8