Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Bypass deserialization checks in Apache Dubbo
Vulnerability Description
The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Apache Dubbo 代码问题漏洞
Vulnerability Description
Apache Dubbo是美国阿帕奇(Apache)基金会的一款基于Java的轻量级RPC(远程过程调用)框架。该产品提供了基于接口的远程呼叫、容错和负载平衡以及自动服务注册和发现等功能。 Apache Dubbo Provider 存在代码问题漏洞,该漏洞源于 Dubbo Provider 会检查传入的请求以及该请求对应的序列化类型是否符合服务器设置的配置。 但是有一个例外,攻击者可以使用它来跳过安全检查(启用时)并使用本机 java 序列化进行反序列化操作。
CVSS Information
N/A
Vulnerability Type
N/A