CVE-2016-6814

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2016-6814
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-6814.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2016-6814
Aliases
Downstream
Related
Published
2018-01-18T18:29:00.233Z
Modified
2025-11-14T03:34:00.827791Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.

References

Affected packages

Git / github.com/apache/groovy

Affected ranges

Type
GIT
Repo
https://github.com/apache/groovy
Events
Introduced
716b0b1bd56eeab04e4441eecc91c2cd8bfda8b6
Last affected
042950dc23257bbc65cd2258f2fd2a197a98f802
Introduced
e0407c58f79853e53e827e0eb52aaac2a39c6936
Last affected
1212b292c34804e3f14af2fbda5daaa85037a039