Severity: moderate
Affected versions:
- Apache Dubbo 3.1.0 through 3.1.10
- Apache Dubbo 3.2.0 through 3.2.4
Description:
A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0
through 3.1.10, from 3.2.0 through 3.2.4.
Users are recommended to upgrade to the latest version, which fixes the issue.
Credit:
Bofei Chen, Lei Zhang, Guangliang Yang, Keke Lian and Xinyou Huang (finder)
References:
https://dubbo.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-29234