CVE-2020-1948

CRITICAL LAB

Apache Dubbo < 2.5.10 - Insecure Deserialization

Title source: rule

Description

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.

Exploits (4)

nomisec WORKING POC 18 stars

by richardzhangcmplx · poc

https://github.com/richardzhangcmplx/Dubbo-deserialization

View Code ZIP pw:eip

nomisec STUB 15 stars

by ctlyz123 · poc

https://github.com/ctlyz123/CVE-2020-1948

View Code ZIP pw:eip

nomisec WORKING POC 4 stars

by txrw · poc

https://github.com/txrw/Dubbo-CVE-2020-1948

View Code ZIP pw:eip

nomisec WORKING POC 3 stars

by M3g4Byt3 · poc

https://github.com/M3g4Byt3/cve-2020-1948-poc

View Code ZIP pw:eip

References (2)

Core 2

Core References

Broken Link x_refsource_misc

https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3E

Third Party Advisory

https://nsfocusglobal.com/apache-dubbo-remote-code-execution-vulnerability-cve-2020-1948-threat-alert/

Scores

CVSS v3 9.8

EPSS 0.6360

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY

Community Lab

docker pull szgx/java:8u111_debian

docker pull dsolab/dubbo:cve-2020-1948

https://github.com/ctlyz123/CVE-2020-1948

https://github.com/txrw/Dubbo-CVE-2020-1948

https://github.com/M3g4Byt3/cve-2020-1948-poc

+1 more repos

View in Library

Details

CWE

CWE-502

Status published

Products (3)

apache/dubbo 2.5.0 - 2.5.10

org.apache.dubbo/dubbo 0 - 2.7.7Maven

org.apache.dubbo/dubbo-common 0 - 2.7.7Maven

Published Jul 14, 2020

Tracked Since Feb 18, 2026