CVE-2015-3253The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. |
Severity | |
Base Score | 9.8 |
Impact Score | 5.9 |
Exploit Score | 3.9 |
Confidentiality Impact | HIGH |
Integrity Impact | HIGH |
Availability Impact | HIGH |
Access Vector | |
Authentication | |
Ease of Access | |
|
|
CVE-2015-4852The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product. |
Severity | HIGH |
Base Score | 7.5 |
Impact Score | 6.4 |
Exploit Score | 10.0 |
Confidentiality Impact | PARTIAL |
Integrity Impact | PARTIAL |
Availability Impact | PARTIAL |
Access Vector | |
Authentication | NONE |
Ease of Access | |
|
|
CVE-2015-7450Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library. |
Severity | |
Base Score | 9.8 |
Impact Score | 5.9 |
Exploit Score | 3.9 |
Confidentiality Impact | HIGH |
Integrity Impact | HIGH |
Availability Impact | HIGH |
Access Vector | |
Authentication | |
Ease of Access | |
|
|
CVE-2015-8103The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'". |
Severity | HIGH |
Base Score | 7.5 |
Impact Score | 6.4 |
Exploit Score | 10.0 |
Confidentiality Impact | PARTIAL |
Integrity Impact | PARTIAL |
Availability Impact | PARTIAL |
Access Vector | |
Authentication | NONE |
Ease of Access | |
|
|
CVE-2016-3510Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586. |
Severity | |
Base Score | 9.8 |
Impact Score | 5.9 |
Exploit Score | 3.9 |
Confidentiality Impact | HIGH |
Integrity Impact | HIGH |
Availability Impact | HIGH |
Access Vector | |
Authentication | |
Ease of Access | |
|
|
CVE-2016-3642The RMI service in SolarWinds Virtualization Manager 6.3.1 and earlier allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. |
Severity | |
Base Score | 9.8 |
Impact Score | 5.9 |
Exploit Score | 3.9 |
Confidentiality Impact | HIGH |
Integrity Impact | HIGH |
Availability Impact | HIGH |
Access Vector | |
Authentication | |
Ease of Access | |
|
|
CVE-2016-4385The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils libraries. |
Severity | |
Base Score | 7.3 |
Impact Score | 3.4 |
Exploit Score | 3.9 |
Confidentiality Impact | LOW |
Integrity Impact | LOW |
Availability Impact | LOW |
Access Vector | |
Authentication | |
Ease of Access | |
|
|
CVE-2017-12149In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data. |
Severity | |
Base Score | 9.8 |
Impact Score | 5.9 |
Exploit Score | 3.9 |
Confidentiality Impact | HIGH |
Integrity Impact | HIGH |
Availability Impact | HIGH |
Access Vector | |
Authentication | |
Ease of Access | |
|
|
CVE-2017-15708In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version. |
Severity | |
Base Score | 9.8 |
Impact Score | 5.9 |
Exploit Score | 3.9 |
Confidentiality Impact | HIGH |
Integrity Impact | HIGH |
Availability Impact | HIGH |
Access Vector | |
Authentication | |
Ease of Access | |
|
|
CVE-2017-7504HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data. |
Severity | |
Base Score | 9.8 |
Impact Score | 5.9 |
Exploit Score | 3.9 |
Confidentiality Impact | HIGH |
Integrity Impact | HIGH |
Availability Impact | HIGH |
Access Vector | |
Authentication | |
Ease of Access | |
|
|
CVE-2018-15381A Java deserialization vulnerability in Cisco Unity Express (CUE) could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to the listening Java Remote Method Invocation (RMI) service. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges. |
Severity | |
Base Score | 9.8 |
Impact Score | 5.9 |
Exploit Score | 3.9 |
Confidentiality Impact | HIGH |
Integrity Impact | HIGH |
Availability Impact | HIGH |
Access Vector | |
Authentication | |
Ease of Access | |
|
|