10
CVSSv2

CVE-2015-7501

Published: 09/11/2017 Updated: 17/10/2018
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 895
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote malicious users to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Vulnerability Trend

Vendor Advisories

Synopsis Important: jakarta-commons-collections security update Type/Severity Security Advisory: Important Topic Updated jakarta-commons-collections packages that fix one security issueare now available for Red Hat Enterprise Linux 5Red Hat Product Security has rated this update as having Important securit ...
Synopsis Critical: Red Hat JBoss Enterprise Application Platform 64 security update Type/Severity Security Advisory: Critical Topic Updated packages for the Apache commons-collections library for Red HatJBoss Enterprise Application Platform 64, which fix one security issue,are now available for Red Hat En ...
Synopsis Critical: Red Hat JBoss Enterprise Application Platform 63 security update Type/Severity Security Advisory: Critical Topic Updated packages that fix one security issue for the Apachecommons-collections library for Red Hat JBoss Enterprise ApplicationPlatform 63 are now available for Red Hat Enter ...
Synopsis Critical: Red Hat JBoss Enterprise Application Platform 645 jboss-ec2-eap update Type/Severity Security Advisory: Critical Topic Updated jboss-ec2-eap packages that fix two security issues, several bugs,and add various enhancements are now available for Red Hat JBoss EnterpriseApplication Platfor ...
Synopsis Critical: Red Hat JBoss Enterprise Application Platform 645 update Type/Severity Security Advisory: Critical Topic Updated packages that provide Red Hat JBoss Enterprise Application Platform645 and fix two security issues, several bugs, and add variousenhancements are now available for Red Hat ...
Synopsis Important: jakarta-commons-collections security update Type/Severity Security Advisory: Important Topic Updated jakarta-commons-collections packages that fix one security issueare now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having Important securit ...
Synopsis Important: rh-java-common-apache-commons-collections security update Type/Severity Security Advisory: Important Topic Updated rh-java-common-apache-commons-collections packages which fix onesecurity issue are now available for Red Hat Software Collections 2Red Hat Product Security has rated this u ...
Synopsis Critical: Red Hat JBoss Enterprise Application Platform security update Type/Severity Security Advisory: Critical Topic Updated packages for the Apache commons-collections library, which fix onesecurity issue, are now available for Red Hat JBoss Enterprise ApplicationPlatform 52, 512, and 4310 ...
Synopsis Critical: Red Hat JBoss Enterprise Application Platform 52 security update Type/Severity Security Advisory: Critical Topic Updated packages for the Apache commons-collections library for Red HatJBoss Enterprise Application Platform 52, which fix one security issue,are now available for Red Hat En ...
Synopsis Important: apache-commons-collections security update Type/Severity Security Advisory: Important Topic Updated apache-commons-collections packages that fix one security issue arenow available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having Important securityi ...
Synopsis Critical: Red Hat JBoss Enterprise Application Platform 645 update Type/Severity Security Advisory: Critical Topic Updated packages that provide Red Hat JBoss Enterprise Application Platform645 and fix two security issues, several bugs, and add variousenhancements are now available for Red Hat ...
Synopsis Critical: Red Hat JBoss Enterprise Application Platform 645 update Type/Severity Security Advisory: Critical Topic Updated packages that provide Red Hat JBoss Enterprise Application Platform645 and fix two security issues, several bugs, and add variousenhancements are now available for Red Hat ...
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library ...
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library ...
Oracle Solaris Third Party Bulletin - July 2016 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updat ...
Oracle Linux Bulletin - October 2015 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are relea ...
Oracle Linux Bulletin - January 2016 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are relea ...
IBM Security Privileged Identity Manager has addressed the following security vulnerabilities ...
Oracle Critical Patch Update Advisory - April 2016 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory ...
Oracle Critical Patch Update Advisory - January 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previou ...
Oracle Critical Patch Update Advisory - January 2017 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory Th ...
Oracle Critical Patch Update Advisory - October 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previou ...
Oracle Critical Patch Update Advisory - July 2016 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous C ...
Oracle Critical Patch Update Advisory - April 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous ...
Oracle Critical Patch Update Advisory - October 2016 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previou ...
Oracle Critical Patch Update Advisory - April 2017 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory Thus ...
Oracle Critical Patch Update Advisory - October 2017 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the ...
Oracle Critical Patch Update Advisory - July 2017 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous C ...
Oracle Critical Patch Update Advisory - July 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous C ...

Github Repositories

Java Deserialization Exploits A collection of curated Java Deserialization Exploits Currently this repo contains exploits for the following vulnerabilities: Cisco Prime Infrastructure Java Deserialization RCE (CVE-2016-1291) IBM WebSphere Java Object Deserialization RCE (CVE-2015-7450) OpenNMS Java Object Deserialization RCE (No CVE ?) Jenkins CLI RMI Java Deserialization RCE

Java Deserialization Exploits A collection of curated Java Deserialization Exploits Currently this repo contains exploits for the following vulnerabilities: Cisco Prime Infrastructure Java Deserialization RCE (CVE-2016-1291) IBM WebSphere Java Object Deserialization RCE (CVE-2015-7450) OpenNMS Java Object Deserialization RCE (No CVE ?) Jenkins CLI RMI Java Deserialization RCE

Java Deserialization Exploits A collection of curated Java Deserialization Exploits Currently this repo contains exploits for the following vulnerabilities: Cisco Prime Infrastructure Java Deserialization RCE (CVE-2016-1291) IBM WebSphere Java Object Deserialization RCE (CVE-2015-7450) OpenNMS Java Object Deserialization RCE (No CVE ?) Jenkins CLI RMI Java Deserialization RCE

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I <3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I <3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description an

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I <3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I <3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I <3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I <3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description an

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability descriptio

Payloads_All_The_Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I <3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I pull requests :) You can also contribute with a IRL Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability description and how to exploit it Intrud

CVE CVE代码演示

rhsecapi rhsecapi makes it easy to interface with the Red Hat Security Data API -- even from behind a proxy From the rpm description: Leverage Red Hat's Security Data API to find CVEs by various attributes (date, severity, scores, package, IAVA, etc) Retrieve customizable details about found CVEs or about specific CVE ids input on cmdline Parse arbitrary stdin for CVE

rhsecapi rhsecapi makes it easy to interface with the Red Hat Security Data API -- even from behind a proxy From the rpm description: Leverage Red Hat's Security Data API to find CVEs by various attributes (date, severity, scores, package, IAVA, etc) Retrieve customizable details about found CVEs or about specific CVE ids input on cmdline Parse arbitrary stdin for CVE

Jok3r v3 beta Network & Web Pentest Automation Framework wwwjok3r-frameworkcomWARNING: Project is still in version 3 BETA It is still under active development and bugs might be present Many tests are going on: see githubcom/koutto/jok3r/blob/master/tests/TESTSrst Ideas, bug reports, contributions are welcome ! Overview Features Demos Architecture

Java-Deserialization-Cheat-Sheet A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries Please, use #javadeser hash tag for tweets Table of content Java Native Serialization (binary) Overview Main talks & presentations & docs Payload generators Exploits Detect Vulnerable apps (without

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :