CVE-2019-17570

CRITICAL

Apache Xml-rpc - Insecure Deserialization

Title source: rule

Description

An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.

Exploits (2)

nomisec WORKING POC 4 stars

by r00t4dm · poc

https://github.com/r00t4dm/CVE-2019-17570

View Code ZIP pw:eip

nomisec WORKING POC

by slowmistio · poc

https://github.com/slowmistio/xmlrpc-common-deserialization

View Code ZIP pw:eip

References (11)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2020/01/24/2

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2020:0310

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3B

[Exploit, Third Party Advisory] https://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp

[Mailing List, Vendor Advisory] https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2020/Feb/8

[Patch, Third Party Advisory] https://usn.ubuntu.com/4496-1/

[Third Party Advisory] https://www.debian.org/security/2020/dsa-4619

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/

[Third Party Advisory] https://security.gentoo.org/glsa/202401-26

Scores

CVSS v3 9.8

EPSS 0.7052

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (13)

apache/xml-rpc

apache/xml-rpc

apache/xml-rpc

apache/xml-rpc

debian/debian_linux

debian/debian_linux

debian/debian_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

fedoraproject/fedora

fedoraproject/fedora

redhat/software_collections

org.apache.xmlrpc/xmlrpc Maven

Timeline

Published Jan 23, 2020

Tracked Since Feb 18, 2026