CVE-2022-39198

Published: Oct 18, 2022Modified: May 13, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.

Affected (3)

Products: Apache: Dubbo

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Apache Dubbo	From 2.7.0 to 2.7.17
Apache Dubbo	From 3.0.0 to 3.0.11
Apache Dubbo	Version 3.1.0

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (2)

https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk

Source: security@apache.org

Mailing ListVendor Advisory

https://lists.apache.org/thread/8d3zqrkoy4jh8dy37j4rd7g9jodzlvkk

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

Timeline

No history available yet.