CVE-2015-7501

CWE-502Deserialization of Untrusted DataCWE-284Improper Access Control11 documents9 sources
Severity
9.8CRITICAL
EPSS
71.5%
top 1.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
15
Redhat Data GridRedhat Jboss A-mqRedhat Jboss BPM Suite+12 more
Timeline
PublishedNov 9
Latest updateMay 13

Description

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Com

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages20 packages

🔴Vulnerability Details

5
OSV
Deserialization of Untrusted Data in Apache commons collections2022-05-13
GHSA
Deserialization of Untrusted Data in Apache commons collections2022-05-13
CVEList
CVE-2015-7501: Red Hat JBoss A-MQ 62017-11-09
OSV
CVE-2015-7501: Red Hat JBoss A-MQ 62017-11-09
VulnCheck
Red Hat data_grid Deserialization of Untrusted Data2015

📋Vendor Advisories

3
Oracle
Oracle Oracle Supply Chain Risk Matrix: Middle Tier (Apache Commons Collections) — CVE-2015-75012020-07-15
Red Hat
apache-commons-collections: InvokerTransformer code execution during deserialisation2015-11-06
Debian
CVE-2015-7501: libcommons-collections3-java - Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) ...2015

💬Community

2
Bugzilla
CVE-2016-3690 PooledInvokerServlet is not secured, and deserializes data2016-04-14
Bugzilla
CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation2015-11-09