Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-6814

Опубликовано: 14 янв. 2017
Источник: redhat
CVSS3: 9.6
EPSS Низкий

Описание

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.

It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.

Отчет

This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Virtualization 3jasperreports-server-proWill not fix
Red Hat JBoss A-MQ 6groovyAffected
Red Hat JBoss BRMS 5groovyWill not fix
Red Hat JBoss Enterprise Application Platform 5groovyWill not fix
Red Hat JBoss Fuse 6camelAffected
Red Hat JBoss Fuse Service Works 6camelAffected
Red Hat JBoss Operations Network 3groovyNot affected
Red Hat JBoss Portal 5groovyUnder investigation
Red Hat JBoss SOA Platform 5groovyWill not fix
Red Hat OpenShift Enterprise 2jenkinsWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=1413466Groovy: Remote code execution via deserialization

EPSS

Процентиль: 86%
0.02801
Низкий

9.6 Critical

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2016-6814

CVSS3: 9.8
ubuntu
почти 8 лет назад

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.

nvd логотип

CVE-2016-6814

CVSS3: 9.8
nvd
почти 8 лет назад

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.

debian логотип

CVE-2016-6814

CVSS3: 9.8
debian
почти 8 лет назад

When an application with unsupported Codehaus versions of Groovy from ...

github логотип

GHSA-xphj-m9cc-8fmq

CVSS3: 9.8
github
больше 3 лет назад

Deserialization of Untrusted Data in Groovy

oracle-oval логотип

ELSA-2017-2486

oracle-oval
около 8 лет назад

ELSA-2017-2486: groovy security update (IMPORTANT)

EPSS

Процентиль: 86%
0.02801
Низкий

9.6 Critical

CVSS3