CVE-2016-6814

{"id": "CVE-2016-6814", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2018-01-18T18:29:00.233", "references": [{"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", "source": "cve@mitre.org"}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", "source": "cve@mitre.org"}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/95429", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "http://www.securitytracker.com/id/1039600", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2017:0868", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2017:2486", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2017:2596", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/202003-01", "source": "cve@mitre.org"}, {"url": "https://www.oracle.com/security-alerts/cpujan2020.html", "source": "cve@mitre.org"}, {"url": "https://www.oracle.com/security-alerts/cpujul2020.html", "source": "cve@mitre.org"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", "source": "cve@mitre.org"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "source": "cve@mitre.org"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability."}, {"lang": "es", "value": "Cuando una aplicaci\u00f3n con versiones de Codehaus no soportadas de Groovy desde la versi\u00f3n 1.7.0 hasta la 2.4.3 o Apache Groovy desde la versi\u00f3n 2.4.4 hasta la 2.4.7 en classpath usa mecanismos est\u00e1ndar de serializaci\u00f3n de Java (por ejemplo, para comunicarse entre servidores o almacenar datos locales), un atacante pudo preparar un objeto especialmente serializado que ejecutar\u00e1 c\u00f3digo directamente al ser deserializado. Todas las aplicaciones que dependen de la serializaci\u00f3n y no a\u00edslan el c\u00f3digo que deserializa objetos estaban sujetos a esta vulnerabilidad."}], "lastModified": "2020-07-15T03:15:16.327", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6EB4409D-39D4-4F6B-AD3E-2E9B0997B6A1", "versionEndIncluding": "2.4.3", "versionStartIncluding": "1.7.0"}, {"criteria": "cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C8F237F9-F70E-4815-BA42-5B5E8152965C", "versionEndIncluding": "2.4.7", "versionStartIncluding": "2.4.4"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}