Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05N3J2LTg4Z2YtcGh2cs4AA3yx
Apache Dubbo: Bypass deny serialize list check in Apache Dubbo
Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5.
Users are recommended to upgrade to the latest version, which fixes the issue.
Permalink: https://github.com/advisories/GHSA-97rv-88gf-phvrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05N3J2LTg4Z2YtcGh2cs4AA3yx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-97rv-88gf-phvr, CVE-2023-46279
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-46279
- https://lists.apache.org/thread/zw53nxrkrfswmk9n3sfwxmcj7x030nmo
- http://www.openwall.com/lists/oss-security/2023/12/15/3
- https://github.com/advisories/GHSA-97rv-88gf-phvr
Affected Packages
maven:org.apache.dubbo:dubbo
Dependent packages: 245Dependent repositories: 3,209
Downloads:
Affected Version Ranges: = 3.1.5
Fixed in: 3.1.6
All affected versions: 3.1.5
All unaffected versions: 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 2.7.12, 2.7.13, 2.7.14, 2.7.15, 2.7.16, 2.7.17, 2.7.18, 2.7.19, 2.7.20, 2.7.21, 2.7.22, 2.7.23, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12