SCA: security update for org.apache.dubbo:dubbo-parent (GHSA-fprr-rrm8-4534)

critical Tenable Cloud Security Plugin ID 414624

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are
vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The
Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect
information about the providers and methods exposed by the service and it can even allow to shutdown the
service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke`
handler. This handler uses a safe version of FastJson to process the call arguments. However, the
resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary
classes and invoke its setters. Even though FastJson is properly protected with a default blocklist,
`PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions
2.6.10 and 2.7.10 contain fixes for this issue. (CVE-2021-32824)

See Also

https://github.com/advisories/GHSA-fprr-rrm8-4534

Plugin Details

Severity: Critical

ID: 414624

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-32824

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/3/2023

Vulnerability Publication Date: 1/3/2023

Reference Information

CVE: CVE-2021-32824

cwe: CWE-502