Vulnerability-Lookup

CVE-2021-32824 (GCVE-0-2021-32824)

Vulnerability from cvelistv5 – Published: 2023-01-03 00:00 – Updated: 2025-03-10 21:33

Title

Regular expression Denial of Service in MooTools

Summary

Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

GitHub_M

References

URL

Tags

https://securitylab.github.com/advisories/GHSL-20…

Impacted products

	Vendor	Product	Version
	Apache	Dubbo	Affected: 2.6.10 , < 2.6.10 (custom) Affected: 2.7.10 , < 2.7.10 (custom) Affected: 2.7.0 , < 2.7.0* (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:33:55.692Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-32824",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-10T21:02:39.261493Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-10T21:33:25.495Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Dubbo",
          "vendor": "Apache",
          "versions": [
            {
              "lessThan": "2.6.10",
              "status": "affected",
              "version": "2.6.10",
              "versionType": "custom"
            },
            {
              "lessThan": "2.7.10",
              "status": "affected",
              "version": "2.7.10",
              "versionType": "custom"
            },
            {
              "lessThan": "2.7.0*",
              "status": "affected",
              "version": "2.7.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-03T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
        }
      ],
      "source": {
        "advisory": "GHSL-2021-039",
        "defect": [
          "GHSL-2021-039"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Regular expression Denial of Service in MooTools",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32824",
    "datePublished": "2023-01-03T00:00:00.000Z",
    "dateReserved": "2021-05-12T00:00:00.000Z",
    "dateUpdated": "2025-03-10T21:33:25.495Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T23:33:55.692Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-32824\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T21:02:39.261493Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T21:02:40.582Z\"}}], \"cna\": {\"title\": \"Regular expression Denial of Service in MooTools\", \"source\": {\"defect\": [\"GHSL-2021-039\"], \"advisory\": \"GHSL-2021-039\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Apache\", \"product\": \"Dubbo\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.6.10\", \"lessThan\": \"2.6.10\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.7.10\", \"lessThan\": \"2.7.10\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.7.0\", \"lessThan\": \"2.7.0*\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502 Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-01-03T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-32824\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-10T21:33:25.495Z\", \"dateReserved\": \"2021-05-12T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-01-03T00:00:00.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2021-32824

Vulnerability from fkie_nvd - Published: 2023-01-03 18:15 - Updated: 2024-11-21 06:07

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/	Exploit, Third Party Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	apache	dubbo	*
	apache	dubbo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5B86A59-6090-40DA-BF2D-FA2B524A96FA",
              "versionEndExcluding": "2.6.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A6C2034-505D-477A-83EE-E7ECDDD142A9",
              "versionEndExcluding": "2.7.10",
              "versionStartIncluding": "2.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue."
    },
    {
      "lang": "es",
      "value": "Apache Dubbo es un framework RPC de c\u00f3digo abierto basado en Java. Las versiones anteriores a 2.6.10 y 2.7.10 son vulnerables a la ejecuci\u00f3n remota de c\u00f3digo previo a la autenticaci\u00f3n mediante manipulaci\u00f3n arbitraria de beans en el controlador Telnet. El puerto de servicio principal de Dubbo se puede utilizar para acceder a un controlador Telnet que ofrece algunos m\u00e9todos b\u00e1sicos para recopilar informaci\u00f3n sobre los proveedores y los m\u00e9todos expuestos por el servicio e incluso puede permitir cerrar el servicio. Este punto final no est\u00e1 protegido. Adem\u00e1s, se puede invocar un m\u00e9todo de proveedor utilizando el controlador `invoke`. Este controlador utiliza una versi\u00f3n segura de FastJson para procesar los argumentos de la llamada. Sin embargo, la lista resultante se procesa posteriormente con `PojoUtils.realize`, que puede usarse para crear instancias de clases arbitrarias e invocar a sus definidores. Aunque FastJson est\u00e1 protegido adecuadamente con una lista de bloqueo predeterminada, `PojoUtils.realize` no lo est\u00e1, y un atacante puede aprovechar eso para lograr la ejecuci\u00f3n remota de c\u00f3digo. Las versiones 2.6.10 y 2.7.10 contienen correcciones para este problema."
    }
  ],
  "id": "CVE-2021-32824",
  "lastModified": "2024-11-21T06:07:49.563",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-01-03T18:15:12.420",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-FPRR-RRM8-4534

Vulnerability from github – Published: 2023-01-03 18:30 – Updated: 2023-01-05 12:03

Summary

Apache Dubbo vulnerable to remote code execution via Telnet Handler

Details

Apache Dubbo is a Java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-authorization remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected.

Additionally, a provider method can be invoked using the invoke handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with PojoUtils.realize which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, PojoUtils.realize is not, and an attacker can leverage that to achieve remote code execution.

Versions 2.6.10 and 2.7.10 contain fixes for this issue.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.dubbo:dubbo-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.dubbo:dubbo-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32824"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-05T12:03:28Z",
    "nvd_published_at": "2023-01-03T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Apache Dubbo is a Java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-authorization remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. \n\nAdditionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. \n\nVersions 2.6.10 and 2.7.10 contain fixes for this issue.",
  "id": "GHSA-fprr-rrm8-4534",
  "modified": "2023-01-05T12:03:28Z",
  "published": "2023-01-03T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32824"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/dubbo"
    },
    {
      "type": "ADVISORY",
      "url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Dubbo vulnerable to remote code execution via Telnet Handler"
}

GSD-2021-32824

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-32824

Aliases

CVE-2021-32824

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-32824",
    "id": "GSD-2021-32824"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-32824"
      ],
      "details": "Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue.",
      "id": "GSD-2021-32824",
      "modified": "2023-12-13T01:23:08.662004Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-32824",
        "STATE": "PUBLIC",
        "TITLE": "Regular expression Denial of Service in MooTools"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Dubbo",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "2.6.10",
                          "version_value": "2.6.10"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "2.7.10",
                          "version_value": "2.7.10"
                        },
                        {
                          "version_affected": "\u003e=",
                          "version_name": "2.7.0",
                          "version_value": "2.7.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-502 Deserialization of Untrusted Data"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/",
            "refsource": "CONFIRM",
            "url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
          }
        ]
      },
      "source": {
        "advisory": "GHSL-2021-039",
        "defect": [
          "GHSL-2021-039"
        ],
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,2.6.10),[2.7.0,2.7.10)",
          "affected_versions": "All versions before 2.6.10, all versions starting from 2.7.0 before 2.7.10",
          "cwe_ids": [
            "CWE-1035",
            "CWE-502",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2023-01-05",
          "description": "Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 is vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue.",
          "fixed_versions": [
            "2.6.10",
            "2.7.10"
          ],
          "identifier": "CVE-2021-32824",
          "identifiers": [
            "GHSA-fprr-rrm8-4534",
            "CVE-2021-32824"
          ],
          "not_impacted": "All versions starting from 2.6.10 before 2.7.0, all versions starting from 2.7.10",
          "package_slug": "maven/org.apache.dubbo/dubbo-parent",
          "pubdate": "2023-01-03",
          "solution": "Upgrade to versions 2.6.10, 2.7.10 or above.",
          "title": "Deserialization of Untrusted Data",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-32824",
            "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/",
            "https://github.com/advisories/GHSA-fprr-rrm8-4534"
          ],
          "uuid": "3d1e6b42-7b16-41b5-85e5-f2a0909cabf4"
        },
        {
          "affected_range": "(,2.6.10),[2.7.0,2.7.10)",
          "affected_versions": "All versions before 2.6.10, all versions starting from 2.7.0 before 2.7.10",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-502",
            "CWE-937"
          ],
          "date": "2023-01-10",
          "description": "Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 is vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue.",
          "fixed_versions": [
            "2.6.10",
            "2.7.10"
          ],
          "identifier": "CVE-2021-32824",
          "identifiers": [
            "CVE-2021-32824"
          ],
          "not_impacted": "",
          "package_slug": "maven/org.apache.dubbo/dubbo",
          "pubdate": "2023-01-03",
          "solution": "Upgrade to versions 2.6.10, 2.7.10 or above.",
          "title": "Deserialization of Untrusted Data",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-32824",
            "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
          ],
          "uuid": "edb05f43-434a-46ca-a904-de514da8d1bb"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.7.10",
                "versionStartIncluding": "2.7.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.6.10",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32824"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-502"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-01-10T13:57Z",
      "publishedDate": "2023-01-03T18:15Z"
    }
  }
}

CNVD-2023-25935

Vulnerability from cnvd - Published: 2023-04-12

Title

Apache Dubbo代码问题漏洞（CNVD-2023-25935）

Description

Apache Dubbo是美国阿帕奇（Apache）基金会的一款基于Java的轻量级RPC（远程过程调用）框架。该产品提供了基于接口的远程呼叫、容错和负载平衡以及自动服务注册和发现等功能。 Apache Dubbo存在代码问题漏洞，该漏洞源于容易受到通过Telnet处理程序中的任意bean操作进行预授权远程代码执行的攻击，攻击者可利用该漏洞实现远程代码执行。

Severity

高

Patch Name

Apache Dubbo代码问题漏洞（CNVD-2023-25935）的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-32824

Impacted products

Name
['Apache Apache Dubbo <2.6.10', 'Apache Dubbo >=2.7.0，<2.7.10']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-32824",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-32824"
    }
  },
  "description": "Apache Dubbo\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u57fa\u4e8eJava\u7684\u8f7b\u91cf\u7ea7RPC\uff08\u8fdc\u7a0b\u8fc7\u7a0b\u8c03\u7528\uff09\u6846\u67b6\u3002\u8be5\u4ea7\u54c1\u63d0\u4f9b\u4e86\u57fa\u4e8e\u63a5\u53e3\u7684\u8fdc\u7a0b\u547c\u53eb\u3001\u5bb9\u9519\u548c\u8d1f\u8f7d\u5e73\u8861\u4ee5\u53ca\u81ea\u52a8\u670d\u52a1\u6ce8\u518c\u548c\u53d1\u73b0\u7b49\u529f\u80fd\u3002\n\nApache Dubbo\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bb9\u6613\u53d7\u5230\u901a\u8fc7Telnet\u5904\u7406\u7a0b\u5e8f\u4e2d\u7684\u4efb\u610fbean\u64cd\u4f5c\u8fdb\u884c\u9884\u6388\u6743\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u7684\u653b\u51fb\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u73b0\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://securitylab.github.com/advisories/GHSL-2021-034_043-apache-dubbo/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-25935",
  "openTime": "2023-04-12",
  "patchDescription": "Apache Dubbo\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u57fa\u4e8eJava\u7684\u8f7b\u91cf\u7ea7RPC\uff08\u8fdc\u7a0b\u8fc7\u7a0b\u8c03\u7528\uff09\u6846\u67b6\u3002\u8be5\u4ea7\u54c1\u63d0\u4f9b\u4e86\u57fa\u4e8e\u63a5\u53e3\u7684\u8fdc\u7a0b\u547c\u53eb\u3001\u5bb9\u9519\u548c\u8d1f\u8f7d\u5e73\u8861\u4ee5\u53ca\u81ea\u52a8\u670d\u52a1\u6ce8\u518c\u548c\u53d1\u73b0\u7b49\u529f\u80fd\u3002\r\n\r\nApache Dubbo\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bb9\u6613\u53d7\u5230\u901a\u8fc7Telnet\u5904\u7406\u7a0b\u5e8f\u4e2d\u7684\u4efb\u610fbean\u64cd\u4f5c\u8fdb\u884c\u9884\u6388\u6743\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u7684\u653b\u51fb\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u73b0\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Dubbo\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2023-25935\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Apache Dubbo \u003c2.6.10",
      "Apache Dubbo \u003e=2.7.0\uff0c\u003c2.7.10"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-32824",
  "serverity": "\u9ad8",
  "submitTime": "2023-01-06",
  "title": "Apache Dubbo\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2023-25935\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-32824 (GCVE-0-2021-32824)

FKIE_CVE-2021-32824

GHSA-FPRR-RRM8-4534

GSD-2021-32824

CNVD-2023-25935

Tags

Sightings

Nomenclature