CVE-2020-1948
Deserialization of Untrusted Data in Apache Dubbo
9.8
CRITICAL
CVSS 3.1
EPSS 63.6%
Description
This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below.
How to fix CVE-2020-1948
To remediate CVE-2020-1948, upgrade the affected package to a fixed version below.
- —upgrade to 2.7.7 or later
- —upgrade to 2.7.7 or later
Is CVE-2020-1948 being exploited?
Likely — EPSS is 63.6%, placing CVE-2020-1948 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (2)
- from 0, < 2.7.7
- from 0, < 2.7.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |