9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-39198

GHSA ID

GHSA-5qwq-g2hx-r6f7

EPSS Score

0.89165%

CWE

CWE-502

Published

10/19/2022

Updated

2/1/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-39198

CVE-2022-39198: Hessian Lite for Apache Dubbo deserialization vulnerability

A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-39198

CVE-2022-39198:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-39198

GHSA ID

GHSA-5qwq-g2hx-r6f7

EPSS Score

0.89165%

CWE

CWE-502

Published

10/19/2022

Updated

2/1/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.alibaba:hessian-lite	maven	<= 3.2.12	3.2.13
org.apache.dubbo:dubbo	maven	>= 2.7.0, <= 2.7.17	2.7.18
org.apache.dubbo:dubbo	maven	>= 3.0.0, <= 3.0.11	3.0.12
org.apache.dubbo:dubbo	maven	= 3.1.0	3.1.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insecure deserialization in hessian-lite <=3.2.12. The patch in 3.2.13 explicitly added checks for Serializable implementation and updated deny lists, indicating that prior versions lacked these critical validations. The SerializerFactory's deserializer resolution (getObjectDeserializer) and the core deserialization entry point (Hessian2Input.readObject) are the logical points where these security controls were missing. Dubbo's dependency updates to hessian-lite 3.2.13 in their patched versions confirm the root cause lies in hessian-lite's deserialization logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-39198: Hessian Lite for Apache Dubbo deserialization vulnerability

CVE-2022-39198:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

9.8

9.8

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-39198: Hessian Lite for Apache Dubbo deserialization vulnerability

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI