CVE
GHSA-5qwq-g2hx-r6f7
Hessian Lite for Apache Dubbo deserialization vulnerability
A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.
Package Versions Affected
Package Version
patch Availability
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
9.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
9.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Related Resources
No items found.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-39198, https://github.com/apache/dubbo-hessian-lite, https://github.com/apache/dubbo-hessian-lite/releases/tag/v3.2.13, https://github.com/apache/dubbo/releases/tag/dubbo-2.7.18, https://github.com/apache/dubbo/releases/tag/dubbo-3.0.12, https://github.com/apache/dubbo/releases/tag/dubbo-3.1.1, https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk
Basic Information
Ecosystem
