CVE-2020-1948

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-1948
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-1948.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-1948
Aliases
Published
2020-07-14T14:15:17Z
Modified
2024-10-12T06:18:40.557214Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.

References

Affected packages

Git / github.com/apache/dubbo

Affected ranges

Type
GIT
Repo
https://github.com/apache/dubbo
Events
Introduced
31ca18c712de2016795ba59f499f7c254f9281d5
Last affected
04576ff4ffdd5872e738b4e10e3905fe513109d2
Introduced
614bcebc01336ee5047a98f96b28915680c0399c
Last affected
af4cff2846bdfb9f105bf32b988616a4ed40a072
Introduced
22bb9cbcf75cab6445b8706574a986517855b535
Last affected
eac84b290f82bb5346a449a973315b6860a9e665

Affected versions

dubbo-2.*

dubbo-2.5.10
dubbo-2.5.9
dubbo-2.6.0
dubbo-2.7.0