CVE-2016-6814

CWE-502 — Deserialization of Untrusted Data13 documents9 sources

Severity

9.8CRITICAL

EPSS

25.7%

top 3.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Groovy Redhat Enterprise Linux Server

Timeline

PublishedJan 18

Latest updateMay 13

Description

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶Mavenorg.codehaus.groovy:groovy1.7.0 — 2.4.8

▶Mavenorg.codehaus.groovy:groovy-all1.7.0 — 2.4.8

▶NVDapache/groovy1.7.0 — 2.4.3+1

▶Debiangroovy< 2.4.8-1+3

▶NVDredhat/enterprise_linux_server7.0

Patches

Patch: mail-archives.apache.org ↗Patch: mail-archives.apache.org ↗

🔴Vulnerability Details

OSV

Deserialization of Untrusted Data in Groovy↗2022-05-13

▶

GHSA

Deserialization of Untrusted Data in Groovy↗2022-05-13

▶

OSV

CVE-2016-6814: When an application with unsupported Codehaus versions of Groovy from 1↗2018-01-18

▶

CVEList

CVE-2016-6814: When an application with unsupported Codehaus versions of Groovy from 1↗2018-01-18

▶

📋Vendor Advisories

Ubuntu

Apache Groovy vulnerability↗2021-03-15

▶

Oracle

Oracle Oracle Supply Chain Risk Matrix: Install (Apache Groovy) — CVE-2016-6814↗2020-07-15

▶

Oracle

Oracle Oracle Supply Chain Risk Matrix: CAX Client (Apache Groovy) — CVE-2016-6814↗2020-01-15

▶

Red Hat

Groovy: Remote code execution via deserialization↗2017-01-14

▶

Debian

CVE-2016-6814: groovy - When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2...↗2016

▶

💬Community

Bugzilla

CVE-2016-6814 Apache Groovy: Remote code execution via deserialization↗2017-01-16

▶

Bugzilla

CVE-2016-6814 groovy: Apache Groovy: Information disclosure [fedora-all]↗2017-01-16

▶

Bugzilla

CVE-2016-6814 groovy18: Apache Groovy: Information disclosure [fedora-all]↗2017-01-16

▶