Vulnerability Details CVE-2019-17564
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.933
EPSS Ranking 99.8%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 6.8
References
- https://advisory.checkmarx.net/advisory/CX-2020-4275
- https://lists.apache.org/thread.html/r13f7a58fa5d61d729e538a378687118e00c3e229903ba1e7b3a807a2%40%3Cdev.dubbo.apache.org%3E
- https://advisory.checkmarx.net/advisory/CX-2020-4275
- https://lists.apache.org/thread.html/r13f7a58fa5d61d729e538a378687118e00c3e229903ba1e7b3a807a2%40%3Cdev.dubbo.apache.org%3E
Products affected by CVE-2019-17564
-
cpe:2.3:a:apache:dubbo:2.5.0
-
cpe:2.3:a:apache:dubbo:2.5.1
-
cpe:2.3:a:apache:dubbo:2.5.10
-
cpe:2.3:a:apache:dubbo:2.5.2
-
cpe:2.3:a:apache:dubbo:2.5.3
-
cpe:2.3:a:apache:dubbo:2.5.4
-
cpe:2.3:a:apache:dubbo:2.5.5
-
cpe:2.3:a:apache:dubbo:2.5.6
-
cpe:2.3:a:apache:dubbo:2.5.7
-
cpe:2.3:a:apache:dubbo:2.5.8
-
cpe:2.3:a:apache:dubbo:2.5.9
-
cpe:2.3:a:apache:dubbo:2.6.0
-
cpe:2.3:a:apache:dubbo:2.6.1
-
cpe:2.3:a:apache:dubbo:2.6.2
-
cpe:2.3:a:apache:dubbo:2.6.3
-
cpe:2.3:a:apache:dubbo:2.6.4
-
cpe:2.3:a:apache:dubbo:2.6.5
-
cpe:2.3:a:apache:dubbo:2.6.6
-
cpe:2.3:a:apache:dubbo:2.6.7
-
cpe:2.3:a:apache:dubbo:2.7.0
-
cpe:2.3:a:apache:dubbo:2.7.1
-
cpe:2.3:a:apache:dubbo:2.7.2
-
cpe:2.3:a:apache:dubbo:2.7.3
-
cpe:2.3:a:apache:dubbo:2.7.4