CVE-2020-11995

A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo 2.6.9 and 2.7.8.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://lists.apache.org/thread.html/r5b2df4ef479209dc4ced457b3d58a887763b60b9354c3dc148b2eb5b%40%3Cdev.dubbo.apache.org%3E	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:dubbo::::::::
	cpe:2.3:a:apache:dubbo::::::::
	cpe:2.3:a:apache:dubbo::::::::

History

14 Jan 2021, 20:53

Type	Values Removed	Values Added
References	~~(MISC) https://lists.apache.org/thread.html/r5b2df4ef479209dc4ced457b3d58a887763b60b9354c3dc148b2eb5b%40%3Cdev.dubbo.apache.org%3E -~~	(MISC) https://lists.apache.org/thread.html/r5b2df4ef479209dc4ced457b3d58a887763b60b9354c3dc148b2eb5b%40%3Cdev.dubbo.apache.org%3E - Mailing List, Vendor Advisory
CWE		CWE-502
CPE		cpe:2.3:a:apache:dubbo::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 7.5 v3 : 9.8

11 Jan 2021, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-01-11 10:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-11995

Mitre link : CVE-2020-11995

CVE.ORG link : CVE-2020-11995

JSON object : View

Products Affected

apache

dubbo

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2020-11995", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-01-11T10:15:13.187", "references": [{"url": "https://lists.apache.org/thread.html/r5b2df4ef479209dc4ced457b3d58a887763b60b9354c3dc148b2eb5b%40%3Cdev.dubbo.apache.org%3E", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}, {"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo 2.6.9 and 2.7.8."}, {"lang": "es", "value": "Se detect\u00f3 vulnerabilidad de deserializaci\u00f3n en dubbo versiones 2.7.5 y anteriores, que podr\u00eda conllevar a una ejecuci\u00f3n de c\u00f3digo malicioso. La mayor\u00eda de usuarios de Dubbo usan Hessian2 como el protocolo de serializaci\u00f3n y deserializaci\u00f3n predeterminado, mientras Hessian2 deserializa el objeto HashMap, algunas funciones en el almacenado de clases en HasMap ser\u00e1n ejecutadas despu\u00e9s de una serie de llamadas al programa, sin embargo, esas funciones especiales pueden causar una ejecuci\u00f3n remota de comandos. Por ejemplo, la funci\u00f3n hashCode() de la clase EqualsBean en rome-1.7.0.jar har\u00e1 que las clases maliciosas cargen remotamente y ejecuten c\u00f3digo malicioso al construir una petici\u00f3n maliciosa. Este problema fue corregido en Apache Dubbo versiones 2.6.9 y 2.7.8"}], "lastModified": "2021-01-14T20:53:45.630", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6AA9088D-71FA-4DE0-9DC9-DBE0CCB0AB6B", "versionEndIncluding": "2.5.10", "versionStartIncluding": "2.5.0"}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CEC33A7C-991C-4011-A767-351A9E09C7BA", "versionEndIncluding": "2.6.8", "versionStartIncluding": "2.6.0"}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5DD841FC-5CB7-4137-9FB6-7F9A0A35C3B9", "versionEndIncluding": "2.7.7", "versionStartIncluding": "2.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}