{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-13T10:51:04.015","vulnerabilities":[{"cve":{"id":"CVE-2020-11995","sourceIdentifier":"security@apache.org","published":"2021-01-11T10:15:13.187","lastModified":"2024-11-21T04:59:04.567","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo 2.6.9 and 2.7.8."},{"lang":"es","value":"Se detectó vulnerabilidad de deserialización en dubbo versiones 2.7.5 y anteriores, que podría conllevar a una ejecución de código malicioso. La mayoría de usuarios de Dubbo usan Hessian2 como el protocolo de serialización y deserialización predeterminado, mientras Hessian2 deserializa el objeto HashMap, algunas funciones en el almacenado de clases en HasMap serán ejecutadas después de una serie de llamadas al programa, sin embargo, esas funciones especiales pueden causar una ejecución remota de comandos. Por ejemplo, la función hashCode() de la clase EqualsBean en rome-1.7.0.jar hará que las clases maliciosas cargen remotamente y ejecuten código malicioso al construir una petición maliciosa. Este problema fue corregido en Apache Dubbo versiones 2.6.9 y 2.7.8"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-502"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-502"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*","versionStartIncluding":"2.5.0","versionEndIncluding":"2.5.10","matchCriteriaId":"6AA9088D-71FA-4DE0-9DC9-DBE0CCB0AB6B"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.0","versionEndIncluding":"2.6.8","matchCriteriaId":"CEC33A7C-991C-4011-A767-351A9E09C7BA"},{"vulnerable":true,"criteria":"cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*","versionStartIncluding":"2.7.0","versionEndIncluding":"2.7.7","matchCriteriaId":"5DD841FC-5CB7-4137-9FB6-7F9A0A35C3B9"}]}]}],"references":[{"url":"https://lists.apache.org/thread.html/r5b2df4ef479209dc4ced457b3d58a887763b60b9354c3dc148b2eb5b%40%3Cdev.dubbo.apache.org%3E","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"https://lists.apache.org/thread.html/r5b2df4ef479209dc4ced457b3d58a887763b60b9354c3dc148b2eb5b%40%3Cdev.dubbo.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Vendor Advisory"]}]}}]}