CVE-2023-23638

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. 

This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
apacheCNA
5 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
VendorProductVersion
apachedubbo
2.7.0 ≤
𝑥
≤ 2.7.21
apachedubbo
3.0.0 ≤
𝑥
≤ 3.0.13
apachedubbo
3.1.0 ≤
𝑥
≤ 3.1.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb
https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb