CVE-2020-1948

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Dubbo
Vendor: CVE Published:; 14 July 2020

Badges

👾 Exploit Exists🟡 Public PoC

Summary

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.

Affected Version(s)

Apache Dubbo Apache Dubbo 2.5.x, 2.6.0 to 2.6.8, 2.7.0 to 2.7.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Dubbo-deserialization
Created by L0kiii

CVE-2020-1948
Created by ctlyz123

Dubbo-CVE-2020-1948
Created by txrw

References

https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jul 14, 2020
👾
Exploit known to exist
Jul 14, 2020
Vulnerability published
Jul 14, 2020
Vulnerability Reserved
Dec 2, 2019