Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
veracodeVeracode Vulnerability DatabaseVERACODE:1847
HistoryNov 09, 2015 - 7:34 p.m.

Potential Remote Code Execution Via Java Object Deserialization

2015-11-0919:34:22
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
32

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Apache Commons includes a class called InvokerTransformer. An application is vulnerable to a deserialization attack if this class is available on the classpath and the application deserializes untrusted or user-supplied data. It’s not necessary to actually use InvokerTransfomer to be vulnerable. With these two criteria satisfied, an attacker may construct a gadget chain using classes in the component to execute arbitrary code. The chain relies on the class InvokerTransformer in the org.apache.commons.collections.functors package to invoke methods during the deserialization process. The fix prevents deserialization of InvokerTransformer by default unless it’s specifically enabled. CVE-2015-4852, CVE-2015-6420, CVE-2015-7501, and CVE-2015-7450 are all related to this artifact.

References

Related

myhack58 1
ubuntucve 1
canvas 1
ibm 105
saint 8
nuclei 1
checkpoint_advisories 3
nessus 18
openvas 12
attackerkb 2
packetstorm 3
zdt 3
prion 3
cve 3
f5 2
cvelist 3
redhat 16
cisa_kev 2
exploitpack 1
cert 1
oraclelinux 3
mageia 1
osv 1
seebug 1
centos 2
github 1
debiancve 1
myhack58
myhack58
The use of server vulnerability mining black production case study-vulnerability warning-the black bar safety net
2017-03-15 00:00:00
ubuntucve
ubuntucve
CVE-2015-4852
2015-11-18 00:00:00
canvas
canvas
Immunity Canvas: WEBLOGIC_T3_DESERIALIZATION
2017-11-09 17:29:00
ibm
ibm
Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to use of Apache Commons Collections (multiple vulnerabilities)
2022-11-22 16:37:00
Security Bulletin: Multiple vulnerabilities in Apache Commons Collections affect IBM InfoSphere Information Server
2022-10-14 22:00:35
Security Bulletin: IBM Jazz for Service Management (JazzSM) is affected with multiple vulnerabilities (CVE-2015-4852, CVE-2015-6420, CVE-2017-15708)
2020-10-20 11:33:26
saint
saint
IBM WebSphere Management Server Apache Commons
2016-02-03 00:00:00
Oracle WebLogic Apache Commons library deserialization vulnerability
2015-11-20 00:00:00
Oracle WebLogic Apache Commons library deserialization vulnerability
2015-11-20 00:00:00
nuclei
nuclei
IBM WebSphere Java Object Deserialization - Remote Code Execution
2021-09-01 15:13:55
checkpoint_advisories
checkpoint_advisories
IBM WebSphere Application Server Commons-Collections Library Remote Code Execution (CVE-2015-7450)
2015-11-25 00:00:00
WebLogic Apache Commons Java Collections Library Remote Code Execution (CVE-2015-4852)
2015-11-19 00:00:00
WebSphere Server and JBoss Platform Apache Commons Collections Remote Code Execution (CVE-2015-7501)
2015-11-17 00:00:00
nessus
nessus
IBM WebSphere Java Object Deserialization RCE
2015-12-02 00:00:00
Oracle WebLogic Java Object Deserialization RCE
2015-11-23 00:00:00
CentOS 5 : jakarta-commons-collections (CESA-2015:2671)
2015-12-22 00:00:00
openvas
openvas
Oracle WebLogic Server Java Deserialization Vulnerability
2016-07-27 00:00:00
Oracle WebLogic Server Remote Code Execution Vulnerability
2015-11-17 00:00:00
IBM WebSphere Application Server Unserialize Vulnerability
2015-11-17 00:00:00
attackerkb
attackerkb
CVE-2015-4852
2015-11-18 00:00:00
CVE-2015-7450
2016-01-02 00:00:00
packetstorm
packetstorm
Oracle Weblogic Server Deserialization Remote Code Execution
2019-03-27 00:00:00
IBM WebSphere Remote Code Execution Java Deserialization
2017-03-14 00:00:00
Oracle WebLogic Server Java Deserialization Remote Code Execution
2017-09-29 00:00:00
zdt
zdt
Websphere / JBoss / OpenNMS / Symantec - Java Deserialization Remote Code Execution
2018-04-29 00:00:00
IBM WebSphere Remote Code Execution Java Deserialization Exploit
2017-03-15 00:00:00
Oracle WebLogic Server 10.3.6.0 - Java Deserialization Exploit
2017-09-28 00:00:00
prion
prion
Code injection
2015-11-18 15:59:00
Input validation
2017-11-09 17:29:00
Design/Logic Flaw
2016-01-02 21:59:00
cve
cve
CVE-2015-4852
2015-11-18 15:59:00
CVE-2015-7450
2016-01-02 21:59:15
CVE-2015-7501
2017-11-09 17:29:00
f5
f5
SOL30518307 - Java commons-collections library vulnerability CVE-2015-4852
2015-12-15 00:00:00
K30518307 : Java commons-collections library vulnerability CVE-2015-4852
2015-12-15 00:00:00
cvelist
cvelist
CVE-2015-7450
2016-01-02 21:00:00
CVE-2015-4852
2015-11-18 15:00:00
CVE-2015-7501
2017-11-09 00:00:00
redhat
redhat
(RHSA-2015:2521) Important: jakarta-commons-collections security update
2015-11-30 00:00:00
(RHSA-2016:0040) Critical: Red Hat JBoss Operations Network 3.1.2 Hotfix 11 update
2016-01-14 18:31:06
(RHSA-2015:2671) Important: jakarta-commons-collections security update
2015-12-21 00:00:00
cisa_kev
cisa_kev
Oracle WebLogic Server Deserialization of Untrusted Data Vulnerability
2021-11-03 00:00:00
IBM WebSphere Application Server and Server Hypervisor Edition Code Injection.
2022-01-10 00:00:00
exploitpack
exploitpack
Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution
2017-09-27 00:00:00
cert
cert
Apache Commons Collections Java library insecurely deserializes data
2015-11-13 00:00:00
oraclelinux
oraclelinux
jakarta-commons-collections security update
2015-12-21 00:00:00
apache-commons-collections security update
2015-11-30 00:00:00
jakarta-commons-collections security update
2015-11-30 00:00:00
mageia
mageia
Updated apache-commons-collections packages fix security vulnerability
2016-01-14 04:44:39
osv
osv
Deserialization of Untrusted Data in Apache commons collections
2022-05-13 01:25:20
seebug
seebug
Red Hat JBoss Portal安全绕过漏洞
2015-12-04 00:00:00
centos
centos
jakarta security update
2015-12-02 13:38:14
apache security update
2015-12-01 22:25:12
github
github
Deserialization of Untrusted Data in Apache commons collections
2022-05-13 01:25:20
debiancve
debiancve
CVE-2015-7501
2017-11-09 17:29:00

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON
Related for VERACODE:1847
myhack581ubuntucve1canvas1ibm105saint8nuclei1checkpoint_advisories3nessus18openvas12attackerkb2packetstorm3zdt3prion3cve3f52cvelist3redhat16cisa_kev2exploitpack1cert1oraclelinux3mageia1osv1seebug1centos2github1debiancve1