A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.apache.dubbo:dubbo(Maven) | 0 | 2.7.22 | N/A |
| org.apache.dubbo:dubbo(Maven) | 3.0.0 | 3.0.13 | N/A |
| org.apache.dubbo:dubbo(Maven) | 3.1.0 | 3.1.5 | N/A |
CVSS Metrics
