PT-2016-3147 · Jython · Jython

Published

2016-01-19

Updated

2022-05-13

CVE-2016-4000

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jython versions prior to 2.7.1rc1

Description The issue is related to the restoration of untrusted data in memory, which can be exploited by a remote attacker to execute arbitrary code using a specially crafted serialized PyFunction object. This can potentially allow the execution of arbitrary code.

Recommendations For versions prior to 2.7.1rc1, update to version 2.7.1rc1 or later to resolve the issue. As a temporary workaround, consider restricting the use of serialized PyFunction objects until a patch is available.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2017-01747

CVE-2016-4000

DLA-989-1

DSA-3893-1

GHSA-6R7R-JJ8H-PQ6V

SNYK-JAVA-ORGPYTHON-31451

Affected Products

Jython

PT-2016-3147 · Jython · Jython

CVE-2016-4000

Weakness Enumeration

Related Identifiers

Affected Products

References · 27