CVE-2019-17564

CRITICAL EXPLOITED IN THE WILD NUCLEI

Apache Dubbo < 2.5.10 - Insecure Deserialization

Title source: rule

Description

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.

Exploits (6)

nomisec WORKING POC 16 stars

by Dor-Tumarkin · poc

https://github.com/Dor-Tumarkin/CVE-2019-17564-FastJson-Gadget

View Code ZIP pw:eip

nomisec WRITEUP 8 stars

by fairyming · poc

https://github.com/fairyming/CVE-2019-17564

View Code ZIP pw:eip

nomisec SUSPICIOUS 2 stars

by Jaky5155 · poc

https://github.com/Jaky5155/CVE-2019-17564

View Code ZIP pw:eip

nomisec STUB 1 stars

by Hu3sky · poc

https://github.com/Hu3sky/CVE-2019-17564

View Code ZIP pw:eip

nomisec STUB

by r00t4dm · poc

https://github.com/r00t4dm/CVE-2019-17564

View Code ZIP pw:eip

nomisec STUB

by Exploit-3389 · poc

https://github.com/Exploit-3389/CVE-2019-17564

View Code ZIP pw:eip

Nuclei Templates (1)

Apache Dubbo 2.5.x-2.7.4 - Insecure Deserialization

CRITICALVERIFIEDby Khalid6468

FOFA: app="apache-dubbo"

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread.html/r13f7a58fa5d61d729e538a378687118e00c3e229903ba1e7b3a807a2%40%3Cdev.dubbo.apache.org%3E

[Vendor Advisory] https://advisory.checkmarx.net/advisory/CX-2020-4275

Scores

CVSS v3 9.8

EPSS 0.9405

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

VulnCheck KEV 2024-05-10

InTheWild.io 2024-05-17

Classification

CWE

CWE-502

Status published

Affected Products (2)

apache/dubbo < 2.5.10

org.apache.dubbo/dubbo-rpc-http-invoker < 2.7.5Maven

Timeline

Published Apr 01, 2020

Tracked Since Feb 18, 2026