GHSA-fjq5-5j5f-mvxh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fjq5-5j5f-mvxh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-fjq5-5j5f-mvxh
- Aliases
- Published
- 2022-05-13T01:25:20Z
- Modified
- 2024-02-17T05:37:14.855709Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Deserialization of Untrusted Data in Apache commons collections
- Details
-
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
- Database specific
{ "github_reviewed_at": "2022-11-03T22:57:31Z", "cwe_ids": [ "CWE-502" ], "nvd_published_at": "2017-11-09T17:29:00Z", "github_reviewed": true, "severity": "CRITICAL" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2015-7501
- https://access.redhat.com/security/vulnerabilities/2059393
- https://access.redhat.com/solutions/2045023
- https://arxiv.org/pdf/2306.05534.pdf
- https://bugzilla.redhat.com/show_bug.cgi?id=1279330
- https://commons.apache.org/proper/commons-collections/release_4_1.html
- https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability
- https://github.com/apache/commons-collections
- https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501
- https://issues.apache.org/jira/browse/COLLECTIONS-580.
- https://sourceforge.net/p/collections/code/HEAD/tree
- http://rhn.redhat.com/errata/RHSA-2016-1773.html
Affected packages
Maven
commons-collections:commons-collections
Package
- Name
- commons-collections:commons-collections
- View open source insights on deps.dev
- Purl
- pkg:maven/commons-collections/commons-collections
org.apache.commons:commons-collections4
Package
- Name
- org.apache.commons:commons-collections4
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.commons/commons-collections4
org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections
Package
- Name
- org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections
net.sourceforge.collections:collections-generic
Package
- Name
- net.sourceforge.collections:collections-generic
- View open source insights on deps.dev
- Purl
- pkg:maven/net.sourceforge.collections/collections-generic
org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic
Package
- Name
- org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic