A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| com.alibaba:hessian-lite(Maven) | 0 | 3.2.13 | N/A |
| org.apache.dubbo:dubbo(Maven) | 2.7.0 | 2.7.18 | N/A |
| org.apache.dubbo:dubbo(Maven) | 3.0.0 | 3.0.12 | N/A |
| org.apache.dubbo:dubbo(Maven) | 3.1.0 | 3.1.1 | N/A |
CVSS Metrics
