CyberSec.Space Logo
Back to CVE Browser

CVE-2019-17570

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0700%
EPSS Percentile36.47th
PublishedJan 23, 2020
Last ModifiedNov 21, 2024

Vulnerability Description

An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.

Affected Platforms (CPE)

πŸ“¦
Apache

Xml Rpc

= 3.1
πŸ“¦
Apache

Xml Rpc

= 3.1.1
πŸ“¦
Apache

Xml Rpc

= 3.1.2
πŸ“¦
Apache

Xml Rpc

= 3.1.3
πŸ’»
Debian

Debian Linux

= 8.0
πŸ’»
Debian

Debian Linux

= 9.0
πŸ’»
Debian

Debian Linux

= 10.0
πŸ’»
Canonical

Ubuntu Linux

= 16.04
πŸ’»
Canonical

Ubuntu Linux

= 18.04
πŸ’»
Fedoraproject

Fedora

= 31
πŸ’»
Fedoraproject

Fedora

= 32
πŸ“¦
Redhat

Software Collections

= 1.0

References & Advisories

πŸ”— http://www.openwall.com/lists/oss-security/2020/01/24/2
πŸ”— https://access.redhat.com/errata/RHSA-2020:0310
πŸ”— https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3B
πŸ”— https://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp
πŸ”— https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E
πŸ”— https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html
πŸ”— https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/
πŸ”— https://seclists.org/bugtraq/2020/Feb/8

Related Vulnerabilities

CVE-2010-060010.0

Cisco Mediator Framework 1.5.1 before 1.5.1.build.14-eng, 2.2 before 2.2.1.dev.1, and 3.0 before 3.0.9.release.1 on the Cisco Netw...

CVE-2018-171989.8

Server-side Request Forgery (SSRF) and File Enumeration vulnerability in Apache Roller 5.2.1, 5.2.0 and earlier unsupported versio...

CVE-2019-54349.8

An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "...

CVE-2020-280359.8

WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC.