← volver
CVE-2021-36163

Unsafe deserialization in providers using the Hessian protocol

EPSS 2.8%
Vexday Risk Score
3Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS EPSS 2.8%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
07 sep 2021Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1
Productos afectados
Apache Software Foundation · Apache Dubbo

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://lists.apache.org/thread.html/r8d0adc057bb15a37199502cc366f4b1164c9c536ce28e4defdb428c0%40%3Cdev.dubbo.apache.org%3E