Description
A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.
Remediation
References
https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk
Related Vulnerabilities
CVE-2023-49673 Vulnerability in maven package io.jenkins.plugins:neuvector-vulnerability-scanner
CVE-2022-47937 Vulnerability in maven package org.apache.sling:org.apache.sling.commons.json
CVE-2023-35150 Vulnerability in maven package org.xwiki.platform:xwiki-platform-invitation-ui
CVE-2020-26217 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2018-19362 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind