What is CVE-2019-17564?

CVE-2019-17564 is a vulnerability in Apache Dubbo. Published 2020-04-01.

Is CVE-2019-17564 known to be exploited?

62 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Dubbo

CVE-2019-17564

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables…

EPSS: 0.940 (99.9th percentile) — read the EPSS interpretation.

Affected products

Apache Dubbo — versions 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, all 2.5.x versions

Public proof-of-concept exploits

Dor-Tumarkin/CVE-2019-17564-FastJson-Gadget
fairyming/CVE-2019-17564
Jaky5155/CVE-2019-17564
Hu3sky/CVE-2019-17564
Exploit-3389/CVE-2019-17564
r00t4dm/CVE-2019-17564
CnHack3r/Penetration_
Coldplay1517/Middleware-Vulnerability-detection-master
EchoGin404/-
EchoGin404/gongkaishouji

References

lists.apache.org/thread.html/r13f7a58fa5d61d729e538a378687118e00c3e229903ba1e7b… (x_refsource_MISC)
advisory.checkmarx.net/advisory/CX-2020-4275 (x_refsource_MISC)

Frequently asked questions

What is CVE-2019-17564?: CVE-2019-17564 is a vulnerability in Apache Dubbo. Published 2020-04-01.
Is CVE-2019-17564 known to be exploited?: 62 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.