1. CVE-Search
  2. CVE-2019-17570
ID CVE-2019-17570
Summary An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:xml-rpc:3.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:xml-rpc:3.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:xml-rpc:3.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:xml-rpc:3.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:xml-rpc:3.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:xml-rpc:3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:xml-rpc:3.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:xml-rpc:3.1.1:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.7:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.7:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 22-01-2024 - 17:15)
Impact:
Exploitability:
CWE CWE-502
CAPEC
  • Object Injection
    An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
rhsa
id RHSA-2020:0310
rpms
  • rh-java-common-xmlrpc-client-1:3.1.3-8.17.el6
  • rh-java-common-xmlrpc-client-1:3.1.3-8.17.el7
  • rh-java-common-xmlrpc-common-1:3.1.3-8.17.el6
  • rh-java-common-xmlrpc-common-1:3.1.3-8.17.el7
  • rh-java-common-xmlrpc-javadoc-1:3.1.3-8.17.el6
  • rh-java-common-xmlrpc-javadoc-1:3.1.3-8.17.el7
  • rh-java-common-xmlrpc-server-1:3.1.3-8.17.el6
  • rh-java-common-xmlrpc-server-1:3.1.3-8.17.el7
refmap via4
bugtraq 20200210 [SECURITY] [DSA 4619-1] libxmlrpc3-java security update
confirm
debian DSA-4619
fedora FEDORA-2020-1d0635bd71
mlist
  • [debian-lts-announce] 20200130 [SECURITY] [DLA 2078-1] libxmlrpc3-java security update
  • [oss-security] 20200124 RE: [CVE-2019-17570] xmlrpc-common untrusted deserialization
ubuntu USN-4496-1
Last major update 22-01-2024 - 17:15
Published 23-01-2020 - 22:15
Last modified 22-01-2024 - 17:15
Back to Top