[MAVEN:GHSA-FJQ5-5J5F-MVXH] Deserialization of Untrusted Data in Apache commons collections
Severity
Critical
Affected Packages
5
Fixed Packages
2
CVEs
1
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
Package | Affected Version |
---|---|
pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections | >= 3.2.1, < 3.2.2 |
pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic | >= 4.01, < 4.02 |
pkg:maven/org.apache.commons/commons-collections4 | < 4.1 |
pkg:maven/net.sourceforge.collections/collections-generic | = 4.01 |
pkg:maven/commons-collections/commons-collections | < 3.2.2 |
Package | Fixed Version |
---|---|
pkg:maven/org.apache.commons/commons-collections4 | = 4.1 |
pkg:maven/commons-collections/commons-collections | = 3.2.2 |
- ID
- MAVEN:GHSA-FJQ5-5J5F-MVXH
- Severity
- critical
- URL
- https://github.com/advisories/GHSA-fjq5-5j5f-mvxh
- Published
-
2022-05-13T01:25:20
(2 years ago) - Modified
-
2023-11-02T22:53:04
(10 months ago) - Rights
- Maven Security Team
- Other Advisories
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections | org.apache.servicemix.bundles | org.apache.servicemix.bundles.commons-collections | >= 3.2.1 < 3.2.2 | |||
Affected | pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic | org.apache.servicemix.bundles | org.apache.servicemix.bundles.collections-generic | >= 4.01 < 4.02 | |||
Affected | pkg:maven/org.apache.commons/commons-collections4 | org.apache.commons | commons-collections4 | < 4.1 | |||
Fixed | pkg:maven/org.apache.commons/commons-collections4 | org.apache.commons | commons-collections4 | = 4.1 | |||
Affected | pkg:maven/net.sourceforge.collections/collections-generic | net.sourceforge.collections | collections-generic | = 4.01 | |||
Affected | pkg:maven/commons-collections/commons-collections | commons-collections | commons-collections | < 3.2.2 | |||
Fixed | pkg:maven/commons-collections/commons-collections | commons-collections | commons-collections | = 3.2.2 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |