Miggo Logo

CVE-2019-17570: Insecure Deserialization in Apache XML-RPC

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.98356%
Published
6/10/2020
Updated
1/22/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.xmlrpc:xmlrpcmaven<= 3.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability documentation explicitly identifies XmlRpcResponseParser.addResult as the entry point for untrusted deserialization. Code analysis shows it processes the 'faultCause' parameter by deserializing its contents via ObjectInputStream, which is inherently unsafe when processing untrusted data. Multiple independent sources (CVE description, Red Hat advisories, and Apache mailing list threads) confirm this as the root cause. The presence of this deserialization pattern without proper safeguards directly enables the documented RCE vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n untrust** **s*ri*liz*tion w*s *oun* in t** or*.*p****.xmlrp*.p*rs*r.XmlRp*R*spons*P*rs*r:***R*sult m*t*o* o* *p**** XML-RP* (*k* ws-xmlrp*) li*r*ry. * m*li*ious XML-RP* s*rv*r *oul* t*r**t * XML-RP* *li*nt **usin* it to *x**ut* *r*itr*ry *o**. *p

Reasoning

T** vuln*r**ility *o*um*nt*tion *xpli*itly i**nti*i*s `XmlRp*R*spons*P*rs*r.***R*sult` *s t** *ntry point *or untrust** **s*ri*liz*tion. *o** *n*lysis s*ows it pro**ss*s t** '**ult**us*' p*r*m*t*r *y **s*ri*lizin* its *ont*nts vi* `O*j**tInputStr**m`