Strix
26.1K

CVE-2021-43297

CRITICALCVSS 9.8/10EPSS 15.31%

Last modified

CVE-2021-43297 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. EPSS estimates a 15.31% chance of exploitation in the next 30 days.

Description

A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
15.31%

96.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
ApacheDubbo>= 2.6.0, < 2.6.12
ApacheDubbo>= 2.7.0, < 2.7.15
ApacheDubbo>= 3.0.0, < 3.0.5

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-43297?
A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5.
How severe is CVE-2021-43297?
CVE-2021-43297 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 15.31% probability of exploitation in the next 30 days.
How do I fix CVE-2021-43297?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-43297?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST