cve/2020/CVE-2020-11995.md

### [CVE-2020-11995](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11995)
![](https://img.shields.io/static/v1?label=Product&message=Apache%20Dubbo&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=Apache%20Dubbo%3C%202.6.9%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-502%20Deserialization%20of%20Untrusted%20Data&color=brighgreen)

### Description

A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo 2.6.9 and 2.7.8.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/Armandhe-China/ApacheDubboSerialVuln
- https://github.com/Whoopsunix/PPPVULNS
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2020-11995](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11995)`
			`![](https://img.shields.io/static/v1?label=Product&message=Apache%20Dubbo&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=Apache%20Dubbo%3C%202.6.9%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-502%20Deserialization%20of%20Untrusted%20Data&color=brighgreen)`

			`### Description`

			A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo 2.6.9 and 2.7.8.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/ARPSyndicate/cvemon`
			`- https://github.com/Armandhe-China/ApacheDubboSerialVuln`
			`- https://github.com/Whoopsunix/PPPVULNS`