CVE-2019-17570

Published: Jan 23, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.

Affected (12)

Products: Apache: Xml Rpc · Debian: Debian Linux · Canonical: Ubuntu Linux · +2 more

Show all products

Apache: Xml Rpc · Debian: Debian Linux · Canonical: Ubuntu Linux · Fedoraproject: Fedora · Redhat: Software Collections

1 product

1 product

1 product

1 product

1 product

Software Collections

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Apache Xml Rpc	Version 3.1.1
Apache Xml Rpc	Version 3.1.2
Apache Xml Rpc	Version 3.1.3
Apache Xml Rpc	Version 3.1

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 31
Fedoraproject Fedora	Version 32

Configuration E

1 vulnerable · 5 platform

Vulnerable Software	Affected Versions
Redhat Software Collections	Version 1.0

Running on/with	Platform Versions
Redhat Enterprise Linux	Version 6.0
Redhat Enterprise Linux	Version 7.0
Redhat Enterprise Linux	Version 7.5
Redhat Enterprise Linux	Version 7.6
Redhat Enterprise Linux	Version 7.7

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (22)

http://www.openwall.com/lists/oss-security/2020/01/24/2

Source: security@apache.org

Mailing ListThird Party Advisory

https://access.redhat.com/errata/RHSA-2020:0310

Source: security@apache.org

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3B

Source: security@apache.org

https://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp

Source: security@apache.org

ExploitThird Party Advisory

https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E

Source: security@apache.org

Mailing ListVendor Advisory

https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html

Source: security@apache.org

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/

Source: security@apache.org

https://seclists.org/bugtraq/2020/Feb/8

Source: security@apache.org

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202401-26

Source: security@apache.org

https://usn.ubuntu.com/4496-1/

Source: security@apache.org

PatchThird Party Advisory

https://www.debian.org/security/2020/dsa-4619

Source: security@apache.org

Third Party Advisory

http://www.openwall.com/lists/oss-security/2020/01/24/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://access.redhat.com/errata/RHSA-2020:0310

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3B

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListVendor Advisory

https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/

Source: af854a3a-2127-422b-91ae-364da2661108

https://seclists.org/bugtraq/2020/Feb/8

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202401-26

Source: af854a3a-2127-422b-91ae-364da2661108

https://usn.ubuntu.com/4496-1/

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.debian.org/security/2020/dsa-4619

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.