Published: 23/01/2020 Updated: 22/01/2024

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache xml-rpc 3.1.3
apache xml-rpc 3.1.2
apache xml-rpc 3.1
apache xml-rpc 3.1.1
debian debian linux 8.0
debian debian linux 9.0
debian debian linux 10.0
canonical ubuntu linux 18.04
canonical ubuntu linux 16.04
fedoraproject fedora 31
fedoraproject fedora 32
redhat software_collections 1.0

Synopsis Important: rh-java-common-xmlrpc security update Type/Severity Security Advisory: Important Topic An update for rh-java-common-xmlrpc is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Sco ...

Synopsis Important: Red Hat Fuse 760 security update Type/Severity Security Advisory: Important Topic A minor version update (from 75 to 76) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security h ...

Debian Bug report logs - #949089 libxmlrpc3-java: CVE-2019-17570: deserialization of server-side exception from faultCause in XMLRPC error response Package: src:libxmlrpc3-java; Maintainer for src:libxmlrpc3-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <c ...

Guillaume Teissier reported that the XMLRPC client in libxmlrpc3-java, an XML-RPC implementation in Java, does perform deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages A malicious XMLRPC server can take advantage of this flaw to execute arbitrary code with the privileges of an ap ...

An untrusted deserialization was found in the orgapachexmlrpcparserXmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code Apache XML-RPC is no longer maintained and this issue will not be fixed (CVE-2019-17570) ...

oss-sec mailing list archives   By Date By Thread </form>    RE: [CVE-2019-17570] xmlrpc-common untrusted deserialization   From: < ...

oss-sec mailing list archives   By Date By Thread </form>    [CVE-2019-17570] xmlrpc-common untrusted deserialization   From: <cert ...

xmlrpc common deserialization vulnerability

CVE-2019-17570 本项目是 CVE-2019-17570的概念验证项目（POC）

fork of apace-xmlrpc with security patch

Apache XML-RPC library (fork,patched) This is a project forked version of Apache XML-RPC library version 313 We only intend to use it for moses-plugin project Security Fix (CVE-2019-17570) Because original apache project is abondoned over ten years, we patched a known security issue CVE-2019-17570 using a patch by Fedora/redhat project Changes Migrate to Gradle build syste

Moses Machine Translator plugin for OmegaT

OmegaT Moses MT connector plugin This is spin-out Moses MT connector for OmegaT 580 or later Moses MT connector used Apache XML-RPC client library that is known to have CRITICAL vulnerability(CVE-2019-17570) It is why Moses MT connector is removed from OmegaT main distribution The plugin here uses the forked and patched version of xml-rpc client, that uses the patch from F

Fork of https://ws.apache.org/xmlrpc/

maven-repo An untrusted deserialization (CVE-2019-17570) was found in Apache XML-RPC (aka ws-xmlrpc) library Given Apache XML-RPC is no longer maintained, I pick the patch from bugzillaredhatcom/show_bugcgi?id=1775193, bump up version to 313-2 and upload the private build Usage pomxml: <repositories> <repository> <i

CWE-502 https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E http://www.openwall.com/lists/oss-security/2020/01/24/2 https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html https://access.redhat.com/errata/RHSA-2020:0310 https://www.debian.org/security/2020/dsa-4619 https://seclists.org/bugtraq/2020/Feb/8 https://usn.ubuntu.com/4496-1/https://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3B https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/https://security.gentoo.org/glsa/202401-26 https://access.redhat.com/errata/RHSA-2020:0310 https://nvd.nist.gov https://github.com/r00t4dm/CVE-2019-17570 https://www.debian.org/security/2020/dsa-4619

CVE-2019-17570

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

Github Repositories

References

Vulmon Search

About

Products

Connect