Every CVE whose affected-product data names Apache Dubbo, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (19)
CVE-2023-46279 — CVSS 9.8 (critical): Deserialization of Untrusted Data vulnerability in Apache Dubbo.This issue only affects Apache Dubbo 3.1.5. Users are recommended to…
CVE-2020-11995 — CVSS 9.8 (critical): A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo…
CVE-2020-1948 — CVSS 9.8 (critical): This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service…
CVE-2021-43297 — CVSS 9.8 (critical): A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code…
CVE-2022-39198 — CVSS 9.8 (critical): A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code…
CVE-2023-29234 — CVSS 9.8 (critical): A deserialization vulnerability existed when decode a malicious package.This issue affects Apache Dubbo: from 3.1.0 through 3.1.10, from…
CVE-2019-17564 — CVSS 9.8 (critical): Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java…
CVE-2021-25641 — CVSS 9.8 (critical): Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo…
CVE-2021-30179 — CVSS 9.8 (critical): Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These…
CVE-2021-30180 — CVSS 9.8 (critical): Apache Dubbo prior to 2.7.9 support Tag routing which will enable a customer to route the request to the right server. These rules are used…
CVE-2021-30181 — CVSS 9.8 (critical): Apache Dubbo prior to 2.6.9 and 2.7.9 supports Script routing which will enable a customer to route the request to the right server. These…
CVE-2021-32824 — CVSS 9.8 (critical): Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code…
CVE-2021-36161 — CVSS 9.8 (critical): Some component in Dubbo will try to print the formated string of the input arguments, which will possibly cause RCE for a maliciously…
CVE-2021-36163 — CVSS 9.8 (critical): In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a…
CVE-2021-37579 — CVSS 9.8 (critical): The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by…
CVE-2021-36162 — CVSS 8.8 (high): Apache Dubbo supports various rules to support configuration override or traffic routing (called routing in Dubbo). These rules are loaded…
CVE-2021-25640 — CVSS 6.1 (medium): In Apache Dubbo prior to 2.6.9 and 2.7.9, the usage of parseURL method will lead to the bypass of white host check which can cause open…
CVE-2022-24969 — CVSS 6.1 (medium): bypass CVE-2021-25640 > In Apache Dubbo prior to 2.6.12 and 2.7.15, the usage of parseURL method will lead to the bypass of the white host…
CVE-2023-23638 — CVSS 5.0 (medium): A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache…