9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-23638

GHSA ID

GHSA-933g-v89r-x8pf

EPSS Score

0.98364%

CWE

CWE-502

Published

3/8/2023

Updated

3/17/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-23638

CVE-2023-23638: Apache Dubbo vulnerable to Deserialization of Untrusted Data

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-23638

GHSA ID

GHSA-933g-v89r-x8pf

EPSS Score

0.98364%

CWE

CWE-502

Published

3/8/2023

Updated

3/17/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.dubbo:dubbo	maven	< 2.7.21	2.7.22
org.apache.dubbo:dubbo	maven	>= 3.0.0, < 3.0.13	3.0.13
org.apache.dubbo:dubbo	maven	>= 3.1.0, < 3.1.5	3.1.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly occurs during 'dubbo generic invoke' per all advisory sources. GenericFilter is Dubbo's core handler for generic invocations and would be responsible for deserializing parameters. While no patch diffs are available, the consistent description of the attack vector (generic invoke deserialization) and Dubbo's architecture strongly implicate GenericFilter.invoke() as the entry point where unsafe deserialization would occur. The function's position in the RPC processing chain makes it the logical location for exploit triggering.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* **s*ri*liz*tion vuln*r**ility *xist** w**n *u**o **n*ri* invok*, w*i** *oul* l*** to m*li*ious *o** *x**ution. T*is issu* *****ts *p**** *u**o *.*.x v*rsion *.*.** *n* prior v*rsions; *p**** *u**o *.*.x v*rsion *.*.** *n* prior v*rsions; *p**** *u*

Reasoning

T** vuln*r**ility *xpli*itly o**urs *urin* '*u**o **n*ri* invok*' p*r *ll **visory sour**s. **n*ri**ilt*r is *u**o's *or* **n*l*r *or **n*ri* invo**tions *n* woul* ** r*sponsi*l* *or **s*ri*lizin* p*r*m*t*rs. W*il* no p*t** *i**s *r* *v*il**l*, t** *

9.8

Basic Information

Concerned about an active attack path?

CVE-2023-23638: Apache Dubbo vulnerable to Deserialization of Untrusted Data

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI