Search criteria
2 vulnerabilities found for Apache Dubbo by Apache
CVE-2019-17564 (GCVE-0-2019-17564)
Vulnerability from nvd – Published: 2020-04-01 21:17 – Updated: 2024-08-05 01:40
VLAI
Summary
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.
Severity
No CVSS data available.
CWE
- Unsafe deserialization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/r13f7a58fa5d… | x_refsource_MISC |
| https://advisory.checkmarx.net/advisory/CX-2020-4275 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache | Apache Dubbo |
Affected:
2.7.0 to 2.7.4
Affected: 2.6.0 to 2.6.7 Affected: all 2.5.x versions |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:15.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r13f7a58fa5d61d729e538a378687118e00c3e229903ba1e7b3a807a2%40%3Cdev.dubbo.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4275"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Dubbo",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "2.7.0 to 2.7.4"
},
{
"status": "affected",
"version": "2.6.0 to 2.6.7"
},
{
"status": "affected",
"version": "all 2.5.x versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unsafe deserialization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-30T22:29:51.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r13f7a58fa5d61d729e538a378687118e00c3e229903ba1e7b3a807a2%40%3Cdev.dubbo.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4275"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-17564",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Dubbo",
"version": {
"version_data": [
{
"version_value": "2.7.0 to 2.7.4"
},
{
"version_value": "2.6.0 to 2.6.7"
},
{
"version_value": "all 2.5.x versions"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unsafe deserialization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r13f7a58fa5d61d729e538a378687118e00c3e229903ba1e7b3a807a2%40%3Cdev.dubbo.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r13f7a58fa5d61d729e538a378687118e00c3e229903ba1e7b3a807a2%40%3Cdev.dubbo.apache.org%3E"
},
{
"name": "https://advisory.checkmarx.net/advisory/CX-2020-4275",
"refsource": "MISC",
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4275"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-17564",
"datePublished": "2020-04-01T21:17:59.000Z",
"dateReserved": "2019-10-14T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:40:15.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-17564 (GCVE-0-2019-17564)
Vulnerability from cvelistv5 – Published: 2020-04-01 21:17 – Updated: 2024-08-05 01:40
VLAI
Summary
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.
Severity
No CVSS data available.
CWE
- Unsafe deserialization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://lists.apache.org/thread.html/r13f7a58fa5d… | x_refsource_MISC |
| https://advisory.checkmarx.net/advisory/CX-2020-4275 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache | Apache Dubbo |
Affected:
2.7.0 to 2.7.4
Affected: 2.6.0 to 2.6.7 Affected: all 2.5.x versions |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:40:15.977Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r13f7a58fa5d61d729e538a378687118e00c3e229903ba1e7b3a807a2%40%3Cdev.dubbo.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4275"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Dubbo",
"vendor": "Apache",
"versions": [
{
"status": "affected",
"version": "2.7.0 to 2.7.4"
},
{
"status": "affected",
"version": "2.6.0 to 2.6.7"
},
{
"status": "affected",
"version": "all 2.5.x versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Unsafe deserialization",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-30T22:29:51.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r13f7a58fa5d61d729e538a378687118e00c3e229903ba1e7b3a807a2%40%3Cdev.dubbo.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4275"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2019-17564",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Dubbo",
"version": {
"version_data": [
{
"version_value": "2.7.0 to 2.7.4"
},
{
"version_value": "2.6.0 to 2.6.7"
},
{
"version_value": "all 2.5.x versions"
}
]
}
}
]
},
"vendor_name": "Apache"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Unsafe deserialization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r13f7a58fa5d61d729e538a378687118e00c3e229903ba1e7b3a807a2%40%3Cdev.dubbo.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r13f7a58fa5d61d729e538a378687118e00c3e229903ba1e7b3a807a2%40%3Cdev.dubbo.apache.org%3E"
},
{
"name": "https://advisory.checkmarx.net/advisory/CX-2020-4275",
"refsource": "MISC",
"url": "https://advisory.checkmarx.net/advisory/CX-2020-4275"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2019-17564",
"datePublished": "2020-04-01T21:17:59.000Z",
"dateReserved": "2019-10-14T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:40:15.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}