[MAVEN:GHSA-FJQ5-5J5F-MVXH] Deserialization of Untrusted Data in Apache commons collections

Severity Critical

Affected Packages 5

Fixed Packages 2

CVEs 1

It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.

Package	Affected Version
pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections	>= 3.2.1, < 3.2.2
pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic	>= 4.01, < 4.02
pkg:maven/org.apache.commons/commons-collections4	< 4.1
pkg:maven/net.sourceforge.collections/collections-generic	= 4.01
pkg:maven/commons-collections/commons-collections	< 3.2.2

Package	Fixed Version
pkg:maven/org.apache.commons/commons-collections4	= 4.1
pkg:maven/commons-collections/commons-collections	= 3.2.2

ID

MAVEN:GHSA-FJQ5-5J5F-MVXH

Severity

critical

URL

https://github.com/advisories/GHSA-fjq5-5j5f-mvxh

Published

2022-05-13T01:25:20
(2 years ago)

Modified

2023-11-02T22:53:04
(10 months ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2015-7501
			https://access.redhat.com/security/vulnerabilities/2059393
			https://access.redhat.com/solutions/2045023
			https://bugzilla.redhat.com/show_bug.cgi?id=1279330
			http://rhn.redhat.com/errata/RHSA-2016-1773.html
			https://commons.apache.org/proper/commons-collections/release_4_1.html
			https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
			https://issues.apache.org/jira/browse/COLLECTIONS-580.
			https://arxiv.org/pdf/2306.05534.pdf
			https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501
			https://sourceforge.net/p/collections/code/HEAD/tree/
			https://github.com/advisories/GHSA-fjq5-5j5f-mvxh

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections	org.apache.servicemix.bundles	org.apache.servicemix.bundles.commons-collections	>= 3.2.1 < 3.2.2
Affected	pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic	org.apache.servicemix.bundles	org.apache.servicemix.bundles.collections-generic	>= 4.01 < 4.02
Affected	pkg:maven/org.apache.commons/commons-collections4	org.apache.commons	commons-collections4	< 4.1
Fixed	pkg:maven/org.apache.commons/commons-collections4	org.apache.commons	commons-collections4	= 4.1
Affected	pkg:maven/net.sourceforge.collections/collections-generic	net.sourceforge.collections	collections-generic	= 4.01
Affected	pkg:maven/commons-collections/commons-collections	commons-collections	commons-collections	< 3.2.2
Fixed	pkg:maven/commons-collections/commons-collections	commons-collections	commons-collections	= 3.2.2

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date