Remote Code Execution Vulnerability in Apache Dubbo by Apache
CVE-2020-1948

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Dubbo
Vendor: CVE Published:; 14 July 2020

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 70%

Summary

A vulnerability present in Apache Dubbo versions up to 2.7.6 allows an attacker to exploit the system by sending Remote Procedure Call (RPC) requests with unrecognized service or method names accompanied by malicious parameters. If the parameters are deserialized without proper validation, this can lead to the execution of arbitrary code, jeopardizing the security of the application and its data.

Affected Version(s)

Apache Dubbo Apache Dubbo 2.5.x, 2.6.0 to 2.6.8, 2.7.0 to 2.7.7

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Dubbo-deserialization
Created by L0kiii

CVE-2020-1948
Created by ctlyz123

Dubbo-CVE-2020-1948
Created by txrw

References

https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e...

x_refsource_MISC

EPSS Score

70% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jul 14, 2020
👾
Exploit known to exist
Jul 14, 2020
Vulnerability published
Jul 14, 2020
Vulnerability Reserved
Dec 2, 2019