Published: 29/09/2016 Updated: 17/02/2018
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 7.3 | Impact Score: 3.4 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x prior to, and 10.1x prior to allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils libraries.

Affected Products

Vendor Product Versions
HpNetwork Automation9.10, 9.20, 9.22, 9.22.01, 9.22.02, 10.00, 10.00.01, 10.00.02, 10.10, 10.11

Github Repositories

Java-Deserialization-Cheat-Sheet A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries Please, use #javadeser hash tag for tweets Table of content Java Native Serialization (binary) Overview Main talks & presentations & docs Payload generators Exploits Detect Vulnerable apps (without