Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2015-3253

Published: 13/08/2015 Updated: 07/11/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Apache

Vulnerability Summary

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 up to and including 2.4.3 allows remote malicious users to execute arbitrary code or cause a denial of service via a crafted serialized object.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache groovy 1.7.1

apache groovy 2.2.1

apache groovy 1.8.4

apache groovy 2.1.6

apache groovy 2.3.0

apache groovy 2.3.10

apache groovy 2.0.3

apache groovy 2.1.9

apache groovy 2.4.3

apache groovy 2.0.4

apache groovy 2.0.0

apache groovy 1.8.9

apache groovy 2.1.3

apache groovy 2.3.2

apache groovy 2.1.5

apache groovy 2.4.2

apache groovy 2.3.5

apache groovy 2.4.1

apache groovy 2.2.0

apache groovy 1.8.5

apache groovy 2.3.9

apache groovy 2.3.4

apache groovy 1.8.0

apache groovy 2.4.0

apache groovy 1.8.2

apache groovy 1.7.7

apache groovy 2.3.1

apache groovy 2.1.0

apache groovy 1.9.0

apache groovy 1.7.0

apache groovy 2.1.8

apache groovy 1.7.6

apache groovy 2.3.7

apache groovy 1.8.3

apache groovy 1.8.6

apache groovy 2.0.5

apache groovy 2.0.8

apache groovy 2.2.2

apache groovy 2.3.8

apache groovy 1.7.8

apache groovy 1.8.1

apache groovy 1.7.4

apache groovy 2.0.2

apache groovy 1.7.9

apache groovy 1.7.2

apache groovy 1.7.3

apache groovy 2.0.7

apache groovy 2.1.2

apache groovy 1.8.7

apache groovy 2.3.3

apache groovy 2.3.11

apache groovy 1.7.11

apache groovy 2.0.1

apache groovy 2.1.1

apache groovy 1.8.8

apache groovy 2.1.7

apache groovy 2.0.6

apache groovy 2.3.6

apache groovy 1.7.10

apache groovy 1.7.5

apache groovy 2.1.4

oracle retail store inventory management 13.2

oracle health sciences clinical development center 3.1.2

oracle retail service backbone 13.0

oracle retail service backbone 14.1

oracle retail service backbone 13.2

oracle retail order broker cloud service 5.1

oracle retail order broker cloud service 4.1

oracle retail store inventory management 14.1

oracle health sciences clinical development center 3.1.1

oracle retail order broker cloud service 15.0

oracle retail store inventory management 14.0

oracle retail service backbone 14.0

oracle retail service backbone 13.1

oracle retail service backbone 15.0

oracle retail order broker cloud service 5.2

oracle webcenter sites 11.1.1.8.0

oracle webcenter sites 12.2.1

Vendor Advisories

Debian CVElist Bug Report Logs: Remote execution of untrusted code, DoS (CVE-2015-3253)
Debian Bug report logs - #793397 Remote execution of untrusted code, DoS (CVE-2015-3253) Package: groovy; Maintainer for groovy is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for groovy is src:groovy (PTS, buildd, popcon) Reported by: Luca Bruno <lucab@debianorg> Date: Thu, 23 Jul ...
Red Hat: CVE-2015-3253
A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulne ...

Github Repositories

https://github.com/CodeIntelligenceTesting/java-demo

Simple Java project showcases two vulnerabilities - a SQL injection and a RCE that although simplified were inspired from two real-word CVEs

Simple Java Demo This simple Java project showcases two vulnerabilities - a SQL injection and a RCE Although these have been distilled into simple examples they were inspired by two real CVEs that were detected You will be able see the two vulnerabilities that CI Fuzz detected and step into the code directly to see the underlying cause The fixed branch is re-fuzzed and the v

https://github.com/TheGrinch/elastic

Groovy Client for Elasticsearch The Elasticsearch Groovy client project helps you to use Elasticsearch in Groovy projects This Groovy client inherently supports 100% of the Elasticsearch API for the supported version by using Groovy extension modules with the Java client Literally anything possible in the same version of the Java client is possible with the Groovy client, plu

https://github.com/elastic/elasticsearch-groovy

Elasticsearch Groovy client

Groovy Client for Elasticsearch IMPORTANT: The Groovy Client is deprecated as of Elasticsearch v600 and is no longer actively maintained The Elasticsearch Groovy client project helps you to use Elasticsearch in Groovy projects This Groovy client inherently supports 100% of the Elasticsearch API for the supported version by using Groovy extension modules with the Java client

https://github.com/angelwhu/XStream_unserialization

XStream Unserialization Test

XStream_unserialization XStream Unserialization Test CVE-2016-0792(Jenkis) CVE-2015-3253 more analyse: angelwhuduappcom/blog/?p=403

References

CWE-74http://packetstormsecurity.com/files/132714/Apache-Groovy-2.4.3-Code-Execution.htmlhttp://www.securityfocus.com/bid/75919http://groovy-lang.org/security.htmlhttp://www.zerodayinitiative.com/advisories/ZDI-15-365/http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlhttp://www.securityfocus.com/bid/91787http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755http://rhn.redhat.com/errata/RHSA-2016-0066.htmlhttps://security.gentoo.org/glsa/201610-01http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttp://www.securitytracker.com/id/1034815http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttps://security.netapp.com/advisory/ntap-20160623-0001/https://access.redhat.com/errata/RHSA-2017:2596https://access.redhat.com/errata/RHSA-2017:2486https://access.redhat.com/errata/RHSA-2016:1376http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.securityfocus.com/archive/1/536012/100/0/threadedhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://lists.apache.org/thread.html/rbb8e16cc5acab183124572b655bdf5fe1d5b5f477dc267352426c7ed%40%3Cnotifications.shardingsphere.apache.org%3Ehttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793397https://nvd.nist.govhttps://github.com/CodeIntelligenceTesting/java-demohttps://access.redhat.com/security/cve/cve-2015-3253
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4040privilege escalationCVE-2024-4112CVE-2024-32872man-in-the-middleCVE-2024-32788bypassCVE-2024-3400CVE-2024-28976
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook