10
CVSSv2

CVE-2015-7450

Published: 02/01/2016 Updated: 08/09/2017
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote malicious users to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library.

Vulnerability Trend

Affected Products

Vendor Product Versions
IbmTivoli Common Reporting2.1, 2.1.1, 2.1.1.2, 3.1, 3.1.0.1, 3.1.0.2, 3.1.2, 3.1.2.1

Exploits

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Powershell def initialize(info={}) super(u ...

Metasploit Modules

IBM WebSphere RCE Java Deserialization Vulnerability

This module exploits a vulnerability in IBM's WebSphere Application Server. An unsafe deserialization call of unauthenticated Java objects exists to the Apache Commons Collections (ACC) library, which allows remote arbitrary code execution. Authentication is not required in order to exploit this vulnerability.

msf > use exploit/windows/misc/ibm_websphere_java_deserialize
      msf exploit(ibm_websphere_java_deserialize) > show targets
            ...targets...
      msf exploit(ibm_websphere_java_deserialize) > set TARGET <target-id>
      msf exploit(ibm_websphere_java_deserialize) > show options
            ...show and set options...
      msf exploit(ibm_websphere_java_deserialize) > exploit

Github Repositories

Java Deserialization Exploits A collection of curated Java Deserialization Exploits Currently this repo contains exploits for the following vulnerabilities: Cisco Prime Infrastructure Java Deserialization RCE (CVE-2016-1291) IBM WebSphere Java Object Deserialization RCE (CVE-2015-7450) OpenNMS Java Object Deserialization RCE (No CVE ?) Jenkins CLI RMI Java Deserialization RCE

Java Deserialization Exploits A collection of curated Java Deserialization Exploits Currently this repo contains exploits for the following vulnerabilities: Cisco Prime Infrastructure Java Deserialization RCE (CVE-2016-1291) IBM WebSphere Java Object Deserialization RCE (CVE-2015-7450) OpenNMS Java Object Deserialization RCE (No CVE ?) Jenkins CLI RMI Java Deserialization RCE

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description an

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Java Deserialization Exploits A collection of curated Java Deserialization Exploits Currently this repo contains exploits for the following vulnerabilities: Cisco Prime Infrastructure Java Deserialization RCE (CVE-2016-1291) IBM WebSphere Java Object Deserialization RCE (CVE-2015-7450) OpenNMS Java Object Deserialization RCE (No CVE ?) Jenkins CLI RMI Java Deserialization RCE

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Java Deserialization Exploits A collection of curated Java Deserialization Exploits Currently this repo contains exploits for the following vulnerabilities: Cisco Prime Infrastructure Java Deserialization RCE (CVE-2016-1291) IBM WebSphere Java Object Deserialization RCE (CVE-2015-7450) OpenNMS Java Object Deserialization RCE (No CVE ?) Jenkins CLI RMI Java Deserialization RCE

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description an

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability descriptio

Payloads_All_The_Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description and how to exploit it Intrud

Jok3r v3 beta Network &amp; Web Pentest Automation Framework wwwjok3r-frameworkcomWARNING: Project is still in version 3 BETA It is still under active development and bugs might be present Many tests are going on: see githubcom/koutto/jok3r/blob/master/tests/TESTSrst Ideas, bug reports, contributions are welcome ! Overview Features Demos Architecture

This is an R script to list and plot recent computer security vulnerabilities available from US CERT Example output Here are some example plots and tables produced as script output from Bulletin (SB16-011): Vulnerability Summary for the Week of January 4, 2015 Vendor Total_Issues Ibm 48 Wireshark 33 Google 13 Hp 8 Cisco 3 Eucalyptus 2 Mozilla 2 Apache 1

Java-Deserialization-Cheat-Sheet A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries Please, use #javadeser hash tag for tweets Table of content Java Native Serialization (binary) Overview Main talks &amp; presentations &amp; docs Payload generators Exploits Detect Vulnerable apps (without

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :