CVE-2015-6420
EPSS 21.2%Insecure Deserialization in Apache Commons Collection
Published: 6/15/2020Modified: 11/28/2024
Also known as:GHSA-6hgm-866r-3cjv
Description
Serialized-object interfaces in Java applications using the Apache Commons Collections (ACC) library may allow remote attackers to execute arbitrary commands via a crafted serialized Java object.
Affected packages (5)
- Maven/commons-collections:commons-collectionsfrom 0, < 3.2.2
- Maven/net.sourceforge.collections:collections-genericfrom 0, <= 4.0.1
- Maven/org.apache.commons:commons-collections4from 0, < 4.1
- Maven/org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-genericfrom 0, <= 4.01
- Maven/org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collectionsfrom 0, <= 3.2.1
References (12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-6420
- PATCHhttps://github.com/apache/commons-collections
- WEBhttps://arxiv.org/pdf/2306.05534
- WEBhttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
- WEBhttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
- WEBhttps://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E
- WEBhttps://www.kb.cert.org/vuls/id/581311
- WEBhttps://www.tenable.com/security/research/tra-2017-14
- WEBhttps://www.tenable.com/security/research/tra-2017-23
- WEBhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization
- WEBhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- WEBhttp://www.securityfocus.com/bid/78872