Dubbo HTTP Remoting Deserialization Vulnerability

Dubbo HTTP Remoting Deserialization Vulnerability

CVE-2019-17564 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.

Learn more about our Cis Benchmark Audit For Apache Http Server.