Vulnerability Details : CVE-2019-17564
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.
Products affected by CVE-2019-17564
- cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-17564
2.94%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 89 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-17564
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-17564
-
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-17564
-
https://lists.apache.org/thread.html/r13f7a58fa5d61d729e538a378687118e00c3e229903ba1e7b3a807a2%40%3Cdev.dubbo.apache.org%3E
[CVE-2019-17564] Apache Dubbo deserialization vulnerability - Pony MailMailing List;Vendor Advisory
-
https://advisory.checkmarx.net/advisory/CX-2020-4275
Checkmarx Advisory | CX-2020-4275 / Unsafe deserialization in Apache Dubbo
Jump to