A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library.
Find out more about CVE-2016-2510 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 6.8 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 7.4 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss Operations Network 3 | Core Server | Not affected |
| Red Hat JBoss Fuse Service Works 6 | Camel | Affected |
| Red Hat JBoss Enterprise SOA Platform 5 | jbossas | Affected |
| Red Hat JBoss Enterprise Application Platform 5.2 | bsh4 | Not affected |
| Red Hat JBoss Data Virtualization 6 | bsh4 | Affected |
| Red Hat JBoss BRMS 6 | Business Central | Affected |
| Red Hat JBoss BRMS 5 | jbossas | Will not fix |
| Red Hat JBoss BPMS 6 | Business Central | Affected |
Vulmon