CVE-2020-11995 Apache Dubbo default deserialization protocol Hessian2 cause CRE

2021-01-1109:40:19

CWE-502

apache

www.cve.org

apache dubbo

deserialization

vulnerability

hessian2

remote execution

code

security fix

AI Score

9.7

Confidence

High

EPSS

0.009

Percentile

83.2%

JSON

A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo 2.6.9 and 2.7.8.

CNA Affected

[
  {
    "product": "Apache Dubbo",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "changes": [
          {
            "at": "2.7.8",
            "status": "unaffected"
          }
        ],
        "lessThan": "2.6.9",
        "status": "affected",
        "version": "Apache Dubbo",
        "versionType": "custom"
      }
    ]
  }
]