CVE-2019-17564

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Dubbo
Vendor: CVE Published:; 1 April 2020

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.

Affected Version(s)

Apache Dubbo 2.7.0 to 2.7.4

Apache Dubbo 2.6.0 to 2.6.7

Apache Dubbo all 2.5.x versions

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2019-17564-FastJson-Gadget
Created by Dor-Tumarkin

CVE-2019-17564
Created by fairyming

CVE-2019-17564
Created by Jaky5155

References

https://lists.apache.org/thread.html/r13f7a58fa5d61d729e5...

x_refsource_MISC

https://advisory.checkmarx.net/advisory/CX-2020-4275

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 1, 2020
🟡
Public PoC available
Feb 24, 2020
👾
Exploit known to exist
Feb 24, 2020
Vulnerability Reserved
Oct 14, 2019