CVE-2015-3253

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Apache Groovy versions 1.7.0 through 2.4.3

Description The issue allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. This is related to the deserialization of untrusted data in Apache Groovy.

Recommendations For Apache Groovy versions 1.7.0 through 2.4.3, consider avoiding the deserialization of untrusted data as a temporary workaround until a patch is available. Restrict access to the MethodClosure class to minimize the risk of exploitation.

Fix

RCE

DoS

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

CESA-2017_2486

CVE-2015-3253

DLA-274-1

GHSA-QG25-HGJV-CG9Q

MGASA-2015-0296

MGASA-2017-0333

RHSA-2017:2486

RHSA-2017:2596

RHSA-2017_2486

ZDI-15-365

Affected Products

Apache Groovy

Centos

Red Hat

CVE-2015-3253

Weakness Enumeration

Related Identifiers

Affected Products

References · 50