9.8
CRITICAL
CVE-2023-23638
Apache Dubbo Java Deserialization Vulnerability
Description

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.

INFO

Published Date :

March 8, 2023, 11:15 a.m.

Last Modified :

Nov. 7, 2023, 4:07 a.m.

Source :

[email protected]

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9
Public PoC/Exploit Available at Github

CVE-2023-23638 has a 15 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2023-23638 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Apache dubbo
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2023-23638.

URL Resource
https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb Issue Tracking Vendor Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
whoami13apt/files2

None

Updated: 4 months ago
0 stars 0 fork 0 watcher
Born at : May 16, 2024, 2:53 p.m. This repo has been linked 48 different CVEs too.
Profile Photo
muneebaashiq/MBProjects

None

Updated: 3 months, 4 weeks ago
1 stars 0 fork 0 watcher
Born at : Jan. 24, 2024, 4:31 p.m. This repo has been linked 83 different CVEs too.
Profile Photo
YYHYlh/Dubbo-Scan

一款让你不只在dubbo-sample、vulhub或者其他测试环境里检测和利用成功的Apache Dubbo 漏洞检测工具。

Java

Updated: 2 weeks ago
159 stars 10 fork 10 watcher
Born at : Aug. 7, 2023, 2 p.m. This repo has been linked 3 different CVEs too.
Profile Photo
x3t2con/Rttools-2

项目内包含工具涉及类别:漏洞利用工具、代审辅助、漏洞利用、靶场环境项目地址列表、漏洞扫描/序列化、密码/隧道项目地址链接、免杀项目地址列表、内网项目地址链接、应急响应项目地址列表、木马查杀、中间件工具项目链接、字典/钓鱼/社工/爆破项目目地址链接、自动化/资产项目链接、子域名/目录/指纹地址

Updated: 1 week, 6 days ago
65 stars 10 fork 10 watcher
Born at : July 26, 2023, 7:59 a.m. This repo has been linked 3 different CVEs too.
Profile Photo
3yujw7njai/CVE-2023-23638-Tools

None

Updated: 1 year, 3 months ago
0 stars 0 fork 0 watcher
Born at : June 8, 2023, 5:14 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
YYHYlh/Apache-Dubbo-CVE-2023-23638-exp

Apache Dubbo (CVE-2023-23638)漏洞利用的工程化实践

Java

Updated: 2 months, 1 week ago
216 stars 31 fork 31 watcher
Born at : May 11, 2023, 7:37 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
Armandhe-China/ApacheDubboSerialVuln

Apache Dubbo系列漏洞

Java

Updated: 2 weeks, 1 day ago
2 stars 1 fork 1 watcher
Born at : March 31, 2023, 5:58 a.m. This repo has been linked 9 different CVEs too.
Profile Photo
X1r0z/Dubbo-RCE

PoC of Apache Dubbo CVE-2023-23638

Java

Updated: 3 months, 4 weeks ago
31 stars 7 fork 7 watcher
Born at : March 22, 2023, 11:23 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
Threekiii/CVE

一个CVE漏洞预警知识库 no exp/poc

Updated: 1 month, 2 weeks ago
88 stars 10 fork 10 watcher
Born at : Jan. 5, 2023, 2:19 a.m. This repo has been linked 110 different CVEs too.
Profile Photo
Whoopsunix/PPPVULNS

Java CVE Vulnerability Environment

cve java dubbo apache spring

Java HTML PLpgSQL Python JavaScript CSS Shell Dockerfile

Updated: 1 month, 1 week ago
20 stars 6 fork 6 watcher
Born at : Oct. 16, 2022, 3:20 p.m. This repo has been linked 31 different CVEs too.
Profile Photo
Awrrays/FrameVul

POC集合,框架nday漏洞利用

Updated: 2 weeks, 1 day ago
373 stars 49 fork 49 watcher
Born at : April 4, 2022, 5:54 a.m. This repo has been linked 105 different CVEs too.
Profile Photo
Y4tacker/JavaSec

a rep for documenting my study, may be from 0 to 0.1

Java Dockerfile Shell Python HTML

Updated: 1 week, 4 days ago
1833 stars 266 fork 266 watcher
Born at : Oct. 18, 2021, 1:21 a.m. This repo has been linked 34 different CVEs too.
Profile Photo
izj007/wechat

微信收藏的文章

Updated: 2 weeks ago
611 stars 129 fork 129 watcher
Born at : Aug. 3, 2021, 2:07 a.m. This repo has been linked 48 different CVEs too.
Profile Photo
taielab/awesome-hacking-lists

平常看到好的渗透hacking工具和多领域效率工具的集合

web hacking awesome-list hacker hacking-tool kali-scripts hacking-tools pentesting-tools pentest-scripts bounty-hunters bug-bounty bugbounty bugbounty-tool

Updated: 1 week, 6 days ago
985 stars 180 fork 180 watcher
Born at : June 12, 2020, 9:16 a.m. This repo has been linked 91 different CVEs too.
Profile Photo
nomi-sec/PoC-in-GitHub

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 1 week, 4 days ago
6375 stars 1107 fork 1107 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 904 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2023-23638 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2023-23638 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Modified by [email protected]

    Nov. 07, 2023

    Action Type Old Value New Value
    Changed Description A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions. A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.
  • Initial Analysis by [email protected]

    Mar. 14, 2023

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb No Types Assigned https://lists.apache.org/thread/8h6zscfzj482z512d2v5ft63hdhzm0cb Issue Tracking, Vendor Advisory
    Added CPE Configuration OR *cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:* versions from (including) 2.7.0 up to (including) 2.7.21 *cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:* versions from (including) 3.0.0 up to (including) 3.0.13 *cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:* versions from (including) 3.1.0 up to (including) 3.1.5
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2023-23638 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2023-23638 weaknesses.

Exploit Prediction

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.

1.50 }} 0.01%

score

0.87195

percentile

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: