CVE-2020-1948

{"id": "CVE-2020-1948", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-07-14T14:15:17.790", "references": [{"url": "https://lists.apache.org/thread.html/rbaa41711b3e7a8cd20e9013737423ddd079ddc12f90180f86e76523c%40%3Csecurity.dubbo.apache.org%3E", "tags": ["Broken Link"], "source": "security@apache.org"}, {"url": "https://nsfocusglobal.com/apache-dubbo-remote-code-execution-vulnerability-cve-2020-1948-threat-alert/", "tags": ["Third Party Advisory"], "source": "nvd@nist.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "This vulnerability can affect all Dubbo users stay on version 2.7.6 or lower. An attacker can send RPC requests with unrecognized service name or method name along with some malicious parameter payloads. When the malicious parameter is deserialized, it will execute some malicious code. More details can be found below."}, {"lang": "es", "value": "Esta vulnerabilidad puede afectar a todos los usuarios de Dubbo que permanecen en las versiones 2.7.6 o por debajo. Un atacante puede enviar peticiones RPC con un nombre de servicio o nombre de m\u00e9todo no reconocido junto con algunas cargas \u00fatiles de par\u00e1metros maliciosos. Cuando el par\u00e1metro malicioso es deserializado, ejecutar\u00e1 alg\u00fan c\u00f3digo malicioso. M\u00e1s detalles pueden ser encontrados a continuaci\u00f3n"}], "lastModified": "2020-07-21T17:50:26.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6AA9088D-71FA-4DE0-9DC9-DBE0CCB0AB6B", "versionEndIncluding": "2.5.10", "versionStartIncluding": "2.5.0"}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "444DA191-F4F8-4AF7-B6DD-7934715E53BC", "versionEndIncluding": "2.6.7", "versionStartIncluding": "2.6.0"}, {"criteria": "cpe:2.3:a:apache:dubbo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C27B7D1F-00B6-46C6-863A-7CC1D20574DF", "versionEndIncluding": "2.7.6", "versionStartIncluding": "2.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}