CVE-2021-43297

Summary

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache DubboApache Dubbo 2.6.x < 2.6.12affected
Apache Software FoundationApache DubboApache Dubbo 2.7.x < 2.7.15affected
Apache Software FoundationApache DubboApache Dubbo 3.0.x < 3.0.5affected

Weaknesses

  • CWE-502: CWE-502 Deserialization of Untrusted Data

ADP Enrichment

CVE Program Container

Additional References

References