What is CVE-2020-1948?

CVE-2020-1948 is a vulnerability in Apache Dubbo. Published 2020-07-14.

Is CVE-2020-1948 known to be exploited?

57 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Dubbo

CVE-2020-1948

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is des…

EPSS: 0.636 (98.4th percentile) — read the EPSS interpretation.

Affected products

N/a Apache Dubbo — versions Apache Dubbo 2.5.x, 2.6.0 to 2.6.8, 2.7.0 to 2.7.7

Public proof-of-concept exploits

richardzhangcmplx/Dubbo-deserialization
0xl0ki/Dubbo-deserialization
ctlyz123/CVE-2020-1948
txrw/Dubbo-CVE-2020-1948
M3g4Byt3/cve-2020-1948-poc
Armandhe-China/ApacheDubboSerialVuln
BrittanyKuhn/javascript-tutorial
CnHack3r/Penetration_
DSO-Lab/pocscan
EchoGin404/-

References

lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86… (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-1948?: CVE-2020-1948 is a vulnerability in Apache Dubbo. Published 2020-07-14.
Is CVE-2020-1948 known to be exploited?: 57 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.