We found results for “”
CVE-2020-1948
Good to know:
Date: July 21, 2020
This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.
Language: Java
Severity Score
Related Resources (4)
Severity Score
Weakness Type (CWE)
Deserialization of Untrusted Data
CWE-502Top Fix
Upgrade Version
Upgrade to version org.apache.dubbo:dubbo-rpc-dubbo:2.7.7;org.apache.dubbo:dubbo:2.7.7
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |
CVSS v2
Base Score: |
|
---|---|
Access Vector (AV): | NETWORK |
Access Complexity (AC): | LOW |
Authentication (AU): | NONE |
Confidentiality (C): | PARTIAL |
Integrity (I): | PARTIAL |
Availability (A): | PARTIAL |
Additional information: |