Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZoZ20tODY2ci0zY2p2
Insecure Deserialization in Apache Commons Collection
Serialized-object interfaces in Java applications using the Apache Commons Collections (ACC) library may allow remote attackers to execute arbitrary commands via a crafted serialized Java object.
Permalink: https://github.com/advisories/GHSA-6hgm-866r-3cjvJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZoZ20tODY2ci0zY2p2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 4 years ago
Updated: over 1 year ago
Identifiers: GHSA-6hgm-866r-3cjv, CVE-2015-6420
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-6420
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
- https://www.kb.cert.org/vuls/id/581311
- https://www.tenable.com/security/research/tra-2017-14
- https://www.tenable.com/security/research/tra-2017-23
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.securityfocus.com/bid/78872
- https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E
- https://arxiv.org/pdf/2306.05534
- https://github.com/advisories/GHSA-6hgm-866r-3cjv
Affected Packages
maven:org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections
Dependent packages: 11Dependent repositories: 45
Downloads:
Affected Version Ranges: <= 3.2.1
No known fixed version
All affected versions:
maven:org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic
Dependent packages: 3Dependent repositories: 5
Downloads:
Affected Version Ranges: <= 4.01
No known fixed version
All affected versions:
maven:net.sourceforge.collections:collections-generic
Dependent packages: 83Dependent repositories: 384
Downloads:
Affected Version Ranges: <= 4.0.1
No known fixed version
All affected versions:
maven:commons-collections:commons-collections
Dependent packages: 5,134Dependent repositories: 63,019
Downloads:
Affected Version Ranges: < 3.2.2
Fixed in: 3.2.2
All affected versions: 2.1.1, 3.2.1
All unaffected versions: 3.2.2
maven:org.apache.commons:commons-collections4
Dependent packages: 3,801Dependent repositories: 26,825
Downloads:
Affected Version Ranges: < 4.1
Fixed in: 4.1
All affected versions:
All unaffected versions: