CVE-2019-17564
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2019-17564
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Dubbo 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Dubbo 2.7.0版本至2.7.4版本、2.6.0版本至2.6.7版本和2.5.x版本中存在安全漏洞,该漏洞源于Apache Dubbo启用HTTP协议之后,Apache Dubbo对消息体处理不当。攻击者可利用该漏洞执行任意代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache | Apache Dubbo | 2.7.0 to 2.7.4 | - |
II. Public POCs for CVE-2019-17564
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | None | https://github.com/r00t4dm/CVE-2019-17564 | POC Details |
| 2 | CVE-2019-17564 Apache Dubbo deserialization RCE | https://github.com/Jaky5155/CVE-2019-17564 | POC Details |
| 3 | CVE-2019-17564 : Apache Dubbo Deserialization Remote Code Execution | https://github.com/Hu3sky/CVE-2019-17564 | POC Details |
| 4 | None | https://github.com/Exploit-3389/CVE-2019-17564 | POC Details |
| 5 | Basic code for creating the Alibaba FastJson + Spring gadget chain, as used to exploit Apache Dubbo in CVE-2019-17564 - more information available at https://www.checkmarx.com/blog/apache-dubbo-unauthenticated-remote-code-execution-vulnerability | https://github.com/Dor-Tumarkin/CVE-2019-17564-FastJson-Gadget | POC Details |
| 6 | CVE-2019-17564:Apache Dubbo反序列化漏洞 | https://github.com/fairyming/CVE-2019-17564 | POC Details |
| 7 | None | https://github.com/Threekiii/Awesome-POC/blob/master/%E5%BC%80%E5%8F%91%E6%A1%86%E6%9E%B6%E6%BC%8F%E6%B4%9E/Apache%20Dubbo%20Java%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%20CVE-2019-17564.md | POC Details |
| 8 | https://github.com/vulhub/vulhub/blob/master/dubbo/CVE-2019-17564/README.md | POC Details | |
| 9 | Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-17564.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2019-17564
请登录查看更多情报信息。
- https://advisory.checkmarx.net/advisory/CX-2020-4275x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2019-17564
Same Patch Batch · Apache · 2020-04-01 · 7 CVEs total
| CVE-2018-11802 | Apache Solr 安全漏洞 | |
| CVE-2020-1927 | Apache HTTP Server 输入验证错误漏洞 | |
| CVE-2020-1934 | Apache HTTP Server 安全漏洞 | |
| CVE-2020-1943 | Apache OFBiz 跨站脚本漏洞 | |
| CVE-2020-1954 | Apache CXF 信息泄露漏洞 | |
| CVE-2020-1958 | Apache Druid 注入漏洞 |
IV. Related Vulnerabilities
Same product: Apache Dubbo
- CVE-2023-46279
Apache Dubbo: Bypass deny serialize list check in Apache Dub - CVE-2023-29234
Bypass serialize checks in Apache Dubbo - CVE-2023-23638
Apache Dubbo Deserialization Vulnerability Gadgets Bypass - CVE-2022-39198
Apache Dubbo Hession Deserialization Vulnerability Gadgets B - CVE-2022-24969
bypass of CVE-2021-25640
Same vendor: Apache
- CVE-2025-58712
Amq: privilege escalation via excessive /etc/passwd permissi - CVE-2024-42362
GHSL-2023-255: HertzBeat Authenticated (user role) RCE via u - CVE-2024-42361
GHSL-2023-256: HertzBeat Authenticated (guest role) SQL inje - CVE-2021-32824
Regular expression Denial of Service in MooTools - CVE-2021-25958
Generation of Error Message Containing Sensitive Information
V. Comments for CVE-2019-17564
No comments yet