Description
This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.
Remediation
References
https://nsfocusglobal.com/apache-dubbo-remote-code-execution-vulnerability-cve-2020-1948-threat-alert/
https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3E
Related Vulnerabilities
CVE-2023-34612 Vulnerability in maven package com.helger.commons:ph-json
CVE-2017-12648 Vulnerability in maven package com.liferay:com.liferay.frontend.taglib
CVE-2017-11556 Vulnerability in npm package node-sass
CVE-2018-8025 Vulnerability in maven package org.apache.hbase:hbase-thrift
CVE-2021-28170 Vulnerability in maven package org.glassfish:jakarta.el