Published: 14/07/2020 Updated: 21/07/2020

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache dubbo

[CVE-2020-1948] Apache Dubbo Provider default deserialization cause RCE

Dubbo-deserialization [CVE-2020-1948] Apache Dubbo Provider default deserialization cause RCE Dubbo Study Dubbo-exp Dubbo-poc Dubbo复现环境

JavaRce complements project - use RASP to prevent vulnerabilities

PPPRASP By Whoopsunix why jvm-sandbox？发现 jvm-sandbox 从 140 开始支持 Native 的增强，正好写一个简单的 RASP Demo 来熟悉这个 AOP 框架（其实是懒得用从头用 ASM 写）。 AOP 框架、沙箱类隔离等架构优点，很难拒绝基层基于 ASM 实现，框架比较熟悉，后续有更复杂的需求时可以改源码方便虽然没有

CWE-502 https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3E https://nsfocusglobal.com/apache-dubbo-remote-code-execution-vulnerability-cve-2020-1948-threat-alert/https://nvd.nist.gov https://github.com/L0kiii/Dubbo-deserialization

CVE-2020-1948

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect