CVE-2023-23638
Description
A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution.
This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.
NVD
Severity: CRITICAL
CVE ID: CVE-2023-23638
CVSS Score: 9.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Apache Software Foundation
Severity: MEDIUM
CVE ID: CVE-2023-23638
CVSS Score: 5.0
CVSS Metrics: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Proof Of Concept
X1r0z
PoC of Apache Dubbo CVE-2023-23638
Refrence: GitHub
YYHYlh
Apache Dubbo (CVE-2023-23638)漏洞利用的工程化实践
Refrence: GitHub
CKevens
Refrence: GitHub