CVE-2016-6814

CRITICAL9.8EPSS 24.3%

groovy - security update

Published: 5/13/2022Modified: 4/28/2026

Description

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.

Affected packages (4)

Debian/groovyfrom 0, < 2.4.8-1
Debian/groovyfrom 0, < 1.8.6-1+deb7u2
Maven/org.codehaus.groovy:groovy>= 1.7.0, < 2.4.8
Maven/org.codehaus.groovy:groovy-all>= 1.7.0, < 2.4.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (16)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-6814
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2016-6814
WEBhttp://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E
WEBhttp://rhn.redhat.com/errata/RHSA-2017-0272.html
WEBhttps://access.redhat.com/errata/RHSA-2017:0868
WEBhttps://access.redhat.com/errata/RHSA-2017:2486
WEBhttps://access.redhat.com/errata/RHSA-2017:2596
WEBhttps://security.gentoo.org/glsa/202003-01
WEBhttps://www.oracle.com/security-alerts/cpujan2020.html
WEBhttps://www.oracle.com/security-alerts/cpujul2020.html
WEBhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
WEBhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
WEBhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
WEBhttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
WEBhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
WEBhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html