{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-01-15T00:00:00", "descriptions": [{"lang": "en", "value": "When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-15T02:22:54", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "RHSA-2017:2596", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2596"}, {"name": "RHSA-2017:0868", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:0868"}, {"name": "RHSA-2017:2486", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2486"}, {"name": "RHSA-2017:0272", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html"}, {"name": "95429", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95429"}, {"name": "1039600", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1039600"}, {"name": "GLSA-202003-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-01"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"tags": ["x_refsource_MISC"], "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_PUBLIC": "2018-01-15T00:00:00", "ID": "CVE-2016-6814", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2017:2596", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2596"}, {"name": "RHSA-2017:0868", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:0868"}, {"name": "RHSA-2017:2486", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2017:2486"}, {"name": "RHSA-2017:0272", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html"}, {"name": "95429", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95429"}, {"name": "1039600", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1039600"}, {"name": "GLSA-202003-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-01"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}, {"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"name": "https://www.oracle.com/security-alerts/cpujul2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", "refsource": "CONFIRM", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}, {"name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "refsource": "MISC", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}, {"name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "refsource": "MISC", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"name": "https://www.oracle.com/security-alerts/cpujan2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"name": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E", "refsource": "MISC", "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T01:43:37.985Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2017:2596", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2596"}, {"name": "RHSA-2017:0868", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:0868"}, {"name": "RHSA-2017:2486", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2486"}, {"name": "RHSA-2017:0272", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html"}, {"name": "95429", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/95429"}, {"name": "1039600", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1039600"}, {"name": "GLSA-202003-01", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-01"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-6814", "datePublished": "2018-01-18T18:00:00Z", "dateReserved": "2016-08-12T00:00:00", "dateUpdated": "2024-09-16T20:52:30.155Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*", "matchCriteriaId": "6EB4409D-39D4-4F6B-AD3E-2E9B0997B6A1", "versionEndIncluding": "2.4.3", "versionStartIncluding": "1.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*", "matchCriteriaId": "C8F237F9-F70E-4815-BA42-5B5E8152965C", "versionEndIncluding": "2.4.7", "versionStartIncluding": "2.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability."}, {"lang": "es", "value": "Cuando una aplicaci\u00f3n con versiones de Codehaus no soportadas de Groovy desde la versi\u00f3n 1.7.0 hasta la 2.4.3 o Apache Groovy desde la versi\u00f3n 2.4.4 hasta la 2.4.7 en classpath usa mecanismos est\u00e1ndar de serializaci\u00f3n de Java (por ejemplo, para comunicarse entre servidores o almacenar datos locales), un atacante pudo preparar un objeto especialmente serializado que ejecutar\u00e1 c\u00f3digo directamente al ser deserializado. Todas las aplicaciones que dependen de la serializaci\u00f3n y no a\u00edslan el c\u00f3digo que deserializa objetos estaban sujetos a esta vulnerabilidad."}], "id": "CVE-2016-6814", "lastModified": "2020-07-15T03:15:16.327", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-01-18T18:29:00.233", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html"}, {"source": "cve@mitre.org", "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"}, {"source": "cve@mitre.org", "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"}, {"source": "cve@mitre.org", "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95429"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1039600"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://access.redhat.com/errata/RHSA-2017:0868"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:2486"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:2596"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202003-01"}, {"source": "cve@mitre.org", "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"source": "cve@mitre.org", "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"source": "cve@mitre.org", "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"}, {"source": "cve@mitre.org", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}, {"source": "cve@mitre.org", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2017:2486", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "groovy-0:1.8.9-8.el7_4", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2017-08-17T00:00:00Z"}, {"advisory": "RHSA-2017:0868", "cpe": "cpe:/a:redhat:jboss_amq:6.3", "product_name": "Red Hat JBoss A-MQ 6.3", "release_date": "2017-04-03T00:00:00Z"}, {"advisory": "RHSA-2017:0272", "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.3", "impact": "moderate", "package": "groovy", "product_name": "Red Hat JBoss Data Virtualization 6.3", "release_date": "2017-02-14T00:00:00Z"}, {"advisory": "RHSA-2017:0868", "cpe": "cpe:/a:redhat:jboss_fuse:6.3", "product_name": "Red Hat JBoss Fuse 6.3", "release_date": "2017-04-03T00:00:00Z"}, {"advisory": "RHSA-2017:2596", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-maven33-groovy-0:1.8.9-7.19.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2017-09-05T00:00:00Z"}, {"advisory": "RHSA-2017:2596", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-maven33-groovy-0:1.8.9-7.19.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2017-09-05T00:00:00Z"}, {"advisory": "RHSA-2017:2596", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-maven33-groovy-0:1.8.9-7.19.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2017-09-05T00:00:00Z"}, {"advisory": "RHSA-2017:2596", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-maven33-groovy-0:1.8.9-7.19.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date": "2017-09-05T00:00:00Z"}], "bugzilla": {"description": "Groovy: Remote code execution via deserialization", "id": "1413466", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.6", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.", "It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability."], "name": "CVE-2016-6814", "package_state": [{"cpe": "cpe:/a:redhat:enterprise_linux:7::hypervisor", "fix_state": "Will not fix", "package_name": "jasperreports-server-pro", "product_name": "Red Hat Enterprise Virtualization 3"}, {"cpe": "cpe:/a:redhat:jboss_amq:6", "fix_state": "Affected", "package_name": "groovy", "product_name": "Red Hat JBoss A-MQ 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Will not fix", "package_name": "groovy", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Will not fix", "package_name": "groovy", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Affected", "package_name": "camel", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Affected", "package_name": "camel", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Not affected", "package_name": "groovy", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5", "fix_state": "Under investigation", "package_name": "groovy", "product_name": "Red Hat JBoss Portal 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Will not fix", "package_name": "groovy", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Will not fix", "package_name": "jenkins", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "groovy", "product_name": "Red Hat Satellite 6"}], "public_date": "2017-01-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-6814\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-6814"], "statement": "This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability.", "threat_severity": "Important", "upstream_fix": "groovy 2.4.8"}