## https://sploitus.com/exploit?id=039F6E5F-6EC6-5068-8635-27DD745B9E87
# CVE-2023-23638
For educational purposes only.
Provided by ZooKeeper.
The testing environment is Java 8; other versions have not been tested, and their usability cannot be guaranteed.
To reproduce the issue, add the VM parameter `-Ddubbo.hessian.allowNonSerializable=true` to DemoComsumer. For more details, refer to [https://su18.org/post/hessian/#serializable](https://su18.org/post/hessian/#serializable).
Analysis article: [https://exp10it.io/2023/03/apache-dubbo-cve-2023-23638-%E5%88%86%E6%9E%90/](https://exp10it.io/2023/03/apache-dubbo-cve-2023-23638-%E5%88%86%E6%9E%90/)
The essence of POC is to modify certain classes to bypass restrictions. The code involves injecting into JNDI. Refer to the analysis [CVE-2023-23638 Apache Dubbo JavaNative deserialization vulnerability analysis](https://mp.weixin.qq.com/s?__biz=Mzg3OTcyNjM1MQ==&mid=2247483788&idx=1&sn=7954ad20fec203469a13a09050536a1c) for further information on how to modify it to exploit the deserialization vulnerability.