PT-2020-15186 · Apache · Dubbo

Published

2020-07-14

Updated

2022-02-10

CVE-2020-1948

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Dubbo versions 2.7.6 and earlier

Description This issue affects Dubbo users, allowing an attacker to send RPC requests with unrecognized service names or method names, along with malicious parameter payloads. When the malicious parameter is deserialized, it executes malicious code.

Recommendations For Dubbo versions 2.7.6 and earlier, update to a version higher than 2.7.6 to resolve the issue.

Exploit

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2020-1948

GHSA-WHWW-V56C-CGV2

Affected Products

Dubbo

PT-2020-15186 · Apache · Dubbo

CVE-2020-1948

Weakness Enumeration

Related Identifiers

Affected Products

References · 9