9.8

CVSS Score

Basic Information

CVE ID

CVE-2021-43297

GHSA ID

GHSA-vp5x-3v8r-qprw

EPSS Score

CWE

CWE-502

Published

1/12/2022

Updated

2/3/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-43297

CVE-2021-43297:
Deserialization of Untrusted Data in Dubbo

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.

(GitHub Advisory)

9.8

CVSS Score

Basic Information

CVE ID

CVE-2021-43297

GHSA ID

GHSA-vp5x-3v8r-qprw

EPSS Score

CWE

CWE-502

Published

1/12/2022

Updated

2/3/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.dubbo:dubbo	maven	>= 2.6.0, < 2.6.12	2.6.12
org.apache.dubbo:dubbo	maven	>= 2.7.0, < 2.7.15	2.7.15
org.apache.dubbo:dubbo	maven	>= 3.0.0, < 3.0.5	3.0.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe deserialization during exception handling in Hessian2. Analysis of advisory details indicates the root cause is in class resolution mechanisms (SerializerFactory) and deserialization entry points (Hessian2Input). These functions would appear in stack traces when: 1) Malicious payloads are deserialized via readObject, and 2) Exception handling triggers additional unsafe deserialization through the factory. The lack of class restrictions in getDeserializer is the primary vulnerability enabler.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **s*ri*liz*tion vuln*r**ility *xist** in *u**o **ssi*n-lit* *.*.** *n* its **rli*r v*rsions, w*i** *oul* l*** to m*li*ious *o** *x**ution. Most *u**o us*rs us* **ssi*n* *s t** ****ult s*ri*liz*tion/**s*ri*liz*tion proto*ol, *urin* **ssi*n **t** un*

Reasoning

T** vuln*r**ility st*ms *rom uns*** **s*ri*liz*tion *urin* *x**ption **n*lin* in **ssi*n*. *n*lysis o* **visory **t*ils in*i**t*s t** root **us* is in *l*ss r*solution m****nisms (S*ri*liz*r***tory) *n* **s*ri*liz*tion *ntry points (**ssi*n*Input). T

9.8

Basic Information

Concerned about an active attack path?

CVE-2021-43297: Deserialization of Untrusted Data in Dubbo

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-43297:
Deserialization of Untrusted Data in Dubbo

Vulnerability Intelligence
Miggo AI