CVE-2019-17564

Summary

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.

Affected Software

VendorProductVersion RangeStatus
ApacheApache Dubbo2.7.0 to 2.7.4affected
ApacheApache Dubbo2.6.0 to 2.6.7affected
ApacheApache Dubboall 2.5.x versionsaffected

Weaknesses

  • Unsafe deserialization

ADP Enrichment

CVE Program Container

Additional References

References