fkie_cve-2020-1948
Vulnerability from fkie_nvd
Published
2020-07-14 14:15
Modified
2024-11-21 05:11
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.
References
security@apache.orghttps://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3EBroken Link
nvd@nist.govhttps://nsfocusglobal.com/apache-dubbo-remote-code-execution-vulnerability-cve-2020-1948-threat-alert/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3EBroken Link
Impacted products
Vendor Product Version
apache dubbo *
apache dubbo *
apache dubbo *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6AA9088D-71FA-4DE0-9DC9-DBE0CCB0AB6B",
              "versionEndIncluding": "2.5.10",
              "versionStartIncluding": "2.5.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "444DA191-F4F8-4AF7-B6DD-7934715E53BC",
              "versionEndIncluding": "2.6.7",
              "versionStartIncluding": "2.6.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C27B7D1F-00B6-46C6-863A-7CC1D20574DF",
              "versionEndIncluding": "2.7.6",
              "versionStartIncluding": "2.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below."
    },
    {
      "lang": "es",
      "value": "Esta vulnerabilidad puede afectar a todos los usuarios de Dubbo que permanecen en las versiones 2.7.6 o por debajo. Un atacante puede enviar peticiones RPC con un nombre de servicio o nombre de m\u00e9todo no reconocido junto con algunas cargas \u00fatiles de par\u00e1metros maliciosos. Cuando el par\u00e1metro malicioso es deserializado, ejecutar\u00e1 alg\u00fan c\u00f3digo malicioso. M\u00e1s detalles pueden ser encontrados a continuaci\u00f3n"
    }
  ],
  "id": "CVE-2020-1948",
  "lastModified": "2024-11-21T05:11:42.863",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-07-14T14:15:17.790",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Broken Link"
      ],
      "url": "https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3E"
    },
    {
      "source": "nvd@nist.gov",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://nsfocusglobal.com/apache-dubbo-remote-code-execution-vulnerability-cve-2020-1948-threat-alert/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3E"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.