What is CVE-2019-17570?

CVE-2019-17570 is a vulnerability in Apache Xml-rpc. Published 2020-01-23.

Is CVE-2019-17570 known to be exploited?

12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Xml-rpc

CVE-2019-17570

An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrar…

EPSS: 0.705 (98.7th percentile) — read the EPSS interpretation.

Affected products

Apache Xml-rpc — versions Apache XML-RPC all versions

Public proof-of-concept exploits

References

bugzilla.redhat.com/show_bug.cgi
lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845c…
[oss-security] 20200124 RE: [CVE-2019-17570] xmlrpc-common untrusted deserialization (mailing-list)
[debian-lts-announce] 20200130 [SECURITY] [DLA 2078-1] libxmlrpc3-java security update (mailing-list)
RHSA-2020:0310 (vendor-advisory)
DSA-4619 (vendor-advisory)
20200210 [SECURITY] [DSA 4619-1] libxmlrpc3-java security update (mailing-list)
FEDORA-2020-1d0635bd71 (vendor-advisory)
USN-4496-1 (vendor-advisory)
github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4…

Frequently asked questions

What is CVE-2019-17570?: CVE-2019-17570 is a vulnerability in Apache Xml-rpc. Published 2020-01-23.
Is CVE-2019-17570 known to be exploited?: 12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.