What is CVE-2019-5434?

CVE-2019-5434 is a vulnerability in Revive Adserver, classified under Deserialization of Untrusted Data. Published 2019-05-06.

Is CVE-2019-5434 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Deserialization in Revive Adserver

CVE-2019-5434

An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of…

Vulnerability class: Insecure Deserialization

EPSS: 0.891 (99.5th percentile) — read the EPSS interpretation.

Affected products

N/a Revive Adserver — versions Fixed version v4.2.0

Weakness classification (CWE)

CWE-502 — Deserialization of Untrusted Data

Public proof-of-concept exploits

References

hackerone.com/reports/512076 (x_refsource_MISC)
hackerone.com/reports/542670 (x_refsource_MISC)
www.revive-adserver.com/security/revive-sa-2019-001/ (x_refsource_MISC)
packetstormsecurity.com/files/155559/Revive-Adserver-4.2-Remote-Code-Execution… (x_refsource_MISC)

Frequently asked questions

What is CVE-2019-5434?: CVE-2019-5434 is a vulnerability in Revive Adserver, classified under Deserialization of Untrusted Data. Published 2019-05-06.
Is CVE-2019-5434 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.