CVE-2019-17570: Insecure Deserialization in Apache XML-RPC
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.98356%
CWE
Published
6/10/2020
Updated
1/22/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.xmlrpc:xmlrpc | maven | <= 3.1.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability documentation explicitly identifies XmlRpcResponseParser.addResult
as the entry point for untrusted deserialization. Code analysis shows it processes the 'faultCause' parameter by deserializing its contents via ObjectInputStream
, which is inherently unsafe when processing untrusted data. Multiple independent sources (CVE description, Red Hat advisories, and Apache mailing list threads) confirm this as the root cause. The presence of this deserialization pattern without proper safeguards directly enables the documented RCE vulnerability.