Vulnerability Details : CVE-2019-17570
Potential exploit
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.
Vulnerability category: Execute code
Products affected by CVE-2019-17570
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xml-rpc:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xml-rpc:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xml-rpc:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xml-rpc:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-17570
70.01%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-17570
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2019-17570
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-17570
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/
[SECURITY] Fedora 32 Update: xmlrpc-3.1.3-24.fc32 - package-announce - Fedora Mailing-Lists
-
https://www.debian.org/security/2020/dsa-4619
Debian -- Security Information -- DSA-4619-1 libxmlrpc3-javaThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html
[SECURITY] [DLA 2078-1] libxmlrpc3-java security updateMailing List;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570;
1775193 – (CVE-2019-17570) CVE-2019-17570 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error responseIssue Tracking;Patch;Third Party Advisory
-
https://security.gentoo.org/glsa/202401-26
Apache XML-RPC: Multiple Vulnerabilities (GLSA 202401-26) — Gentoo security
-
https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://usn.ubuntu.com/4496-1/
USN-4496-1: Apache XML-RPC vulnerability | Ubuntu security notices | UbuntuPatch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2020:0310
RHSA-2020:0310 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/
[SECURITY] Fedora 32 Update: xmlrpc-3.1.3-24.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://seclists.org/bugtraq/2020/Feb/8
Bugtraq: [SECURITY] [DSA 4619-1] libxmlrpc3-java security updateMailing List;Third Party Advisory
-
https://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp
Apache - Deserialization of Untrusted Data in XML-RPC (CVE-2019-17570) · Advisory · orangecertcc/security-research · GitHubExploit;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2020/01/24/2
oss-security - RE: [CVE-2019-17570] xmlrpc-common untrusted deserializationMailing List;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3B
Invalid Bug ID
Jump to