⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2019-17564

CWE-502Deserialization of Untrusted Data6 documents6 sources
Severity
9.8CRITICAL
EPSS
94.0%
top 0.10%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Apache DubboApache Apache Dubbo
Timeline
PublishedApr 1
Latest updateMay 24

Description

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDapache/dubbo2.5.02.5.10+2
CVEListV5apache/apache_dubbo2.6.0 to 2.6.7, 2.7.0 to 2.7.4, all 2.5.x versions+2

🔴Vulnerability Details

4
OSV
Deserialization of Untrusted Data in Apache Dubbo2022-05-24
GHSA
Deserialization of Untrusted Data in Apache Dubbo2022-05-24
CVEList
CVE-2019-17564: Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled2020-04-01
VulnCheck
Apache dubbo Deserialization of Untrusted Data2019

💥Exploits & PoCs

1
Nuclei
Apache Dubbo 2.5.x-2.7.4 - Insecure Deserialization
CVE-2019-17564 (CRITICAL CVSS 9.8) | Unsafe deserialization occurs withi | cvebase.io