CVE-2020-1948

CWE-502Deserialization of Untrusted Data4 documents4 sources
Severity
9.8CRITICAL
EPSS
63.6%
top 1.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Dubbo
Timeline
PublishedJul 14
Latest updateFeb 10

Description

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

Mavenorg.apache.dubbo:dubbo< 2.7.7
NVDapache/dubbo2.5.02.5.10+2
CVEListV5apache_dubboApache Dubbo 2.5.x, 2.6.0 to 2.6.8, 2.7.0 to 2.7.7

🔴Vulnerability Details

3
OSV
Deserialization of Untrusted Data in Apache Dubbo2022-02-10
GHSA
Deserialization of Untrusted Data in Apache Dubbo2022-02-10
CVEList
CVE-2020-1948: This vulnerability can affect all Dubbo users stay on version 22020-07-14
CVE-2020-1948 (CRITICAL CVSS 9.8) | This vulnerability can affect all D | cvebase.io