{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2019-17570", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2024-08-05T01:40:15.866Z", "dateReserved": "2019-10-14T00:00:00", "datePublished": "2020-01-23T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-01-22T16:06:22.643219"}, "descriptions": [{"lang": "en", "value": "An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed."}], "affected": [{"vendor": "Apache", "product": "Apache XML-RPC", "versions": [{"version": "Apache XML-RPC all versions", "status": "affected"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3B"}, {"url": "https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E"}, {"name": "[oss-security] 20200124 RE: [CVE-2019-17570] xmlrpc-common untrusted deserialization", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2020/01/24/2"}, {"name": "[debian-lts-announce] 20200130 [SECURITY] [DLA 2078-1] libxmlrpc3-java security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html"}, {"name": "RHSA-2020:0310", "tags": ["vendor-advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0310"}, {"name": "DSA-4619", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2020/dsa-4619"}, {"name": "20200210 [SECURITY] [DSA 4619-1] libxmlrpc3-java security update", "tags": ["mailing-list"], "url": "https://seclists.org/bugtraq/2020/Feb/8"}, {"name": "FEDORA-2020-1d0635bd71", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/"}, {"name": "USN-4496-1", "tags": ["vendor-advisory"], "url": "https://usn.ubuntu.com/4496-1/"}, {"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp"}, {"name": "GLSA-202401-26", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202401-26"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Deserialization"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:40:15.866Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3B", "tags": ["x_transferred"]}, {"url": "https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E", "tags": ["x_transferred"]}, {"name": "[oss-security] 20200124 RE: [CVE-2019-17570] xmlrpc-common untrusted deserialization", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/01/24/2"}, {"name": "[debian-lts-announce] 20200130 [SECURITY] [DLA 2078-1] libxmlrpc3-java security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html"}, {"name": "RHSA-2020:0310", "tags": ["vendor-advisory", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0310"}, {"name": "DSA-4619", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2020/dsa-4619"}, {"name": "20200210 [SECURITY] [DSA 4619-1] libxmlrpc3-java security update", "tags": ["mailing-list", "x_transferred"], "url": "https://seclists.org/bugtraq/2020/Feb/8"}, {"name": "FEDORA-2020-1d0635bd71", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/"}, {"name": "USN-4496-1", "tags": ["vendor-advisory", "x_transferred"], "url": "https://usn.ubuntu.com/4496-1/"}, {"url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp", "tags": ["x_transferred"]}, {"name": "GLSA-202401-26", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202401-26"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:xml-rpc:3.1:*:*:*:*:*:*:*", "matchCriteriaId": "C01DEF06-2B4B-4AB9-80BD-AB23477B8947", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:xml-rpc:3.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "A79A448D-BB72-4308-A39B-064309B1FBDC", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:xml-rpc:3.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "641E3E64-4530-492C-A92F-9ABB181C3D15", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:xml-rpc:3.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "D0A5703F-8A78-49EC-A372-AFA4BB7B6166", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*", "matchCriteriaId": "4EB48767-F095-444F-9E05-D9AC345AB803", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*", "matchCriteriaId": "5F6FA12B-504C-4DBF-A32E-0548557AA2ED", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.7:*:*:*:*:*:*:*", "matchCriteriaId": "5B1633BB-7D54-4564-BC1C-3B80BA6FF215", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "9D7EE4B6-A6EC-4B9B-91DF-79615796673F", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed."}, {"lang": "es", "value": "Se detect\u00f3 una deserializaci\u00f3n no confiable en el m\u00e9todo org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult de la biblioteca Apache XML-RPC (tambi\u00e9n se conoce como ws-xmlrpc). Un servidor XML-RPC malicioso podr\u00eda apuntar a un cliente XML-RPC causando que ejecute c\u00f3digo arbitrario. Apache XML-RPC ya no se mantiene y este problema no ser\u00e1 solucionado."}], "id": "CVE-2019-17570", "lastModified": "2024-01-22T17:15:08.520", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-23T22:15:10.200", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/01/24/2"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0310"}, {"source": "security@apache.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570%3B"}, {"source": "security@apache.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/846551673bbb7ec8d691008215384bcef03a3fb004d2da845cfe88ee%401390230951%40%3Cdev.ws.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00033.html"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I3QCRLJYQRGVTIYF4BXYRFSF3ONP3TBF/"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2020/Feb/8"}, {"source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202401-26"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://usn.ubuntu.com/4496-1/"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4619"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Guillaume Teissier (Orange) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:0983", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "camel-xmlrpc", "product_name": "Red Hat Fuse 7.6.0", "release_date": "2020-03-26T00:00:00Z"}, {"advisory": "RHSA-2020:0310", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-java-common-xmlrpc-1:3.1.3-8.17.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2020-01-30T00:00:00Z"}, {"advisory": "RHSA-2020:0310", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-java-common-xmlrpc-1:3.1.3-8.17.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-01-30T00:00:00Z"}, {"advisory": "RHSA-2020:0310", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-java-common-xmlrpc-1:3.1.3-8.17.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2020-01-30T00:00:00Z"}, {"advisory": "RHSA-2020:0310", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-java-common-xmlrpc-1:3.1.3-8.17.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-01-30T00:00:00Z"}, {"advisory": "RHSA-2020:0310", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-java-common-xmlrpc-1:3.1.3-8.17.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-01-30T00:00:00Z"}], "bugzilla": {"description": "xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response", "id": "1775193", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1775193"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.", "A flaw was discovered where the XMLRPC client implementation in Apache XMLRPC, performed deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious or compromised XMLRPC server could possibly use this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library."], "mitigation": {"lang": "en:us", "value": "There is no known mitigation other than restricting applications using the Apache XMLRPC client library from sending requests to untrusted XMLRPC servers."}, "name": "CVE-2019-17570", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "xmlrpc", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "xmlrpc3", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "xmlrpc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Affected", "package_name": "camel-xmlrpc", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "camel-xmlrpc", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Out of support scope", "package_name": "xmprpc-common", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Will not fix", "impact": "low", "package_name": "xmlrpc-common", "product_name": "Red Hat Virtualization 4"}], "public_date": "2020-01-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-17570\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-17570\nhttps://github.com/orangecertcc/security-research/security/advisories/GHSA-x2r6-4m45-m4jp"], "statement": "Red Hat Enterprise Linux 7 provides vulnerable version of xmlrpc via the Optional repository. As the Optional repository is not supported, this issue is not planned to be addressed there.\nRed Hat Virtualization Manager uses xmlrpc only for internal communication with the scheduler. Since this is a component of the Manager itself, it is not subject to attacker influence and does not represent an attack surface.", "threat_severity": "Important"}