9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Apache Groovy is vulnerable to remote execution.The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.7 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. Note this is similar to CVE-2015-3253 but this exploit involves extra wrapping of objects and catching of exceptions which are now safe guarded against.
CPE | Name | Operator | Version |
---|---|---|---|
apache groovy | le | 2.4.7 | |
apache groovy | le | 2.4.7 | |
groovy | eq | 1.8.9__7.el7 | |
rh-maven33-groovy | eq | 1.8.9__7.18.el7 | |
rh-maven33-groovy | eq | 1.8.9__7.18.el6 |
groovy-lang.org/security.html
mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E
rhn.redhat.com/errata/RHSA-2017-0272.html
seclists.org/oss-sec/2017/q1/92
www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
www.securityfocus.com/bid/95429
www.securitytracker.com/id/1039600
access.redhat.com/errata/RHSA-2017:0868
access.redhat.com/errata/RHSA-2017:2486
access.redhat.com/errata/RHSA-2017:2596
github.com/apache/groovy/commit/716d3e67e744c7edeed7cbc3f874090d39355764
github.com/apache/groovy/commit/716d3e67e744c7edeed7cbc3f874090d39355764
github.com/apache/groovy/compare/03e3812cff011eda75a518af7f8f676db8622316...716d3e67e744c7edeed7cbc3f874090d39355764
github.com/jt1796/groovy/pull/1
issues.apache.org/jira/browse/TINKERPOP-1611
security.gentoo.org/glsa/202003-01
www.oracle.com/security-alerts/cpujan2020.html
www.oracle.com/security-alerts/cpujul2020.html
www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P