Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-1948

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.

Published

2020-07-14T14:15:17.790

Last Modified

2024-11-21T05:11:42.863

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	dubbo	≤ 2.5.10	Yes
Application	apache	dubbo	≤ 2.6.7	Yes
Application	apache	dubbo	≤ 2.7.6	Yes

References

https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3E Broken Link ([email protected])
https://nsfocusglobal.com/apache-dubbo-remote-code-execution-vulnerability-cve-2020-1948-threat-alert/ Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3E Broken Link (af854a3a-2127-422b-91ae-364da2661108)