CVE-2016-6814 – org.codehaus.groovy:groovy-all

Package

Manager: maven
Name: org.codehaus.groovy:groovy-all
Vulnerable Version: >=1.7.0 <2.4.8

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.04118 pctl0.88171

Details

Deserialization of Untrusted Data in Groovy When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.

Metadata

Created: 2022-05-13T01:25:19Z
Modified: 2024-10-17T16:19:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xphj-m9cc-8fmq/GHSA-xphj-m9cc-8fmq.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-xphj-m9cc-8fmq
Finding: F096
Auto approve: 1