CVE-2016-4000Deserialization of Untrusted Data in Jython

CWE-502Deserialization of Untrusted DataCWE-39916 documents10 sources
Severity
9.8CRITICALNVD
EPSS
12.5%
top 6.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Jython Project JythonDebian JythonDebian Linux
Timeline
PublishedJul 6
Latest updateMay 13

Description

Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

debiandebian/jython< jython 2.5.3-17 (bookworm)
Debianjython_project/jython< 2.5.3-17+3

Also affects: Debian Linux 8.0

Patches

Patch: hg.python.orgPatch: hg.python.org

🔴Vulnerability Details

3
OSV
Deserialization of Untrusted Data in Jython2022-05-13
GHSA
Deserialization of Untrusted Data in Jython2022-05-13
OSV
CVE-2016-4000: Jython before 22017-07-06

💥Exploits & PoCs

1
Exploit-DB
Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS16-039)2018-03-01

📋Vendor Advisories

7
Oracle
Oracle Oracle Supply Chain Risk Matrix: Middle Tier (jython) — CVE-2016-40002020-07-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: IDIH Visualization (Jython) — CVE-2016-40002020-04-15
Oracle
Oracle Oracle Enterprise Manager Risk Matrix: Oracle Flow Builder (Jython) — CVE-2016-40002020-01-15
Cisco
Cisco Industrial Ethernet 4000 and Ethernet 5000 Series Switches ICMP IPv4 Packet Corruption Vulnerability2016-05-13
Red Hat
jython: Unsafe deserialization leads to code execution2016-02-01

🕵️Threat Intelligence

2
Tenable
Oracle Critical Patch Update for October Contains 180 Fixes2019-10-16
Tenable
Oracle Critical Patch Update For April Contains 297 Fixes2019-04-17

💬Community

2
Bugzilla
CVE-2016-4000 jython: Unsafe deserialization leads to code execution2017-06-15
Bugzilla
CVE-2014-4000 cacti: Multiple issues fixed in 1.0.0 version2017-01-30