CVE-2019-17570

Published: 23/01/2020 Updated: 22/01/2024

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache xml-rpc 3.1.3
apache xml-rpc 3.1.2
apache xml-rpc 3.1
apache xml-rpc 3.1.1
debian debian linux 8.0
debian debian linux 9.0
debian debian linux 10.0
canonical ubuntu linux 18.04
canonical ubuntu linux 16.04
fedoraproject fedora 31
fedoraproject fedora 32
redhat software collections 1.0

Debian Bug report logs - #949089 libxmlrpc3-java: CVE-2019-17570: deserialization of server-side exception from faultCause in XMLRPC error response Package: src:libxmlrpc3-java; Maintainer for src:libxmlrpc3-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <c ...

Synopsis Important: rh-java-common-xmlrpc security update Type/Severity Security Advisory: Important Topic An update for rh-java-common-xmlrpc is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Sco ...

Synopsis Important: Red Hat Fuse 760 security update Type/Severity Security Advisory: Important Topic A minor version update (from 75 to 76) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security h ...

Guillaume Teissier reported that the XMLRPC client in libxmlrpc3-java, an XML-RPC implementation in Java, does perform deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages A malicious XMLRPC server can take advantage of this flaw to execute arbitrary code with the privileges of an ap ...

An untrusted deserialization was found in the orgapachexmlrpcparserXmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code Apache XML-RPC is no longer maintained and this issue will not be fixed (CVE-2019-17570) ...

Description =========== Java untrusted deserialization in faultCause when processing an XMLRPC response XMLRPC clients are thus targeted by this vulnerability, and rogue XMLRPC servers may gain arbitrary code execution on the XMLRPC client The vulnerability lays in the orgapachexmlrpcparserXmlRpcResponseParser:addResult(Object) method Thi ...

Hello, A PoC is now available for this vulnerability For more information, see githubcom/orangecertcc/xmlrpc-common-deserialization Regards, -----Message d'origine----- De : ZZZ CERT CC Envoyé : jeudi 16 janvier 2020 10:00 À : 'oss-security () lists openwall com' Objet : [CVE-2019-17570] xmlrpc-common untrusted ...

fork of apace-xmlrpc with security patch

Apache XML-RPC library (fork,patched) This is a project forked version of Apache XML-RPC library version 313 We only intend to use it for moses-plugin project Security Fix (CVE-2019-17570) Because original apache project is abondoned over ten years, we patched a known security issue CVE-2019-17570 using a patch by Fedora/redhat project Changes Migrate to Gradle build syste

xmlrpc common deserialization vulnerability

CVE-2019-17570 本项目是 CVE-2019-17570的概念验证项目（POC）

Moses Machine Translator plugin for OmegaT

OmegaT Moses MT connector plugin This is spin-out Moses MT connector for OmegaT 580 or later Moses MT connector used Apache XML-RPC client library that is known to have CRITICAL vulnerability(CVE-2019-17570) It is why Moses MT connector is removed from OmegaT main distribution The plugin here uses the forked and patched version of xml-rpc client, that uses the patch from F

Fork of https://ws.apache.org/xmlrpc/

maven-repo An untrusted deserialization (CVE-2019-17570) was found in Apache XML-RPC (aka ws-xmlrpc) library Given Apache XML-RPC is no longer maintained, I pick the patch from bugzillaredhatcom/show_bugcgi?id=1775193, bump up version to 313-2 and upload the private build Usage pomxml: <repositories> <repository> <i

CWE-502 https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E http://www.openwall.com/lists/oss-security/2020/01/24/2 https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html https://access.redhat.com/errata/RHSA-2020:0310 https://www.debian.org/security/2020/dsa-4619 https://seclists.org/bugtraq/2020/Feb/8 https://usn.ubuntu.com/4496-1/https://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3B https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/https://security.gentoo.org/glsa/202401-26 https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949089 https://github.com/omegat-org/apache-xmlrpc https://www.debian.org/security/2020/dsa-4619

CVE-2019-17570

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

Github Repositories

References

Vulmon Search

About

Products

Connect