CVE-2022-39198 — Hessian Lite for Apache Dubbo deserialization vulnerability

Description

A deserialization vulnerability existed in dubbo hessian-lite 3.2.12 and its earlier versions, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.17 and prior versions; Apache Dubbo 3.0.x version 3.0.11 and prior versions; Apache Dubbo 3.1.x version 3.1.0 and prior versions.

How to fix CVE-2022-39198

To remediate CVE-2022-39198, upgrade the affected package to a fixed version below.

—upgrade to 3.2.13 or later
—upgrade to 2.7.18 or later

Is CVE-2022-39198 being exploited?

Moderate — EPSS is 10.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 3.2.13
>= 2.7.0, < 2.7.18

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-39198
PATCHgithub.com/apache/dubbo-hessian-lite
WEBgithub.com/apache/dubbo-hessian-lite/releases/tag/v3.2.13
WEBgithub.com/apache/dubbo/releases/tag/dubbo-2.7.18
WEB