CVE-2015-3253
Improper Neutralization of Special Elements in Output Used by a Downstream Component in Apache Groovy
9.8
CRITICAL
CVSS 3.1
EPSS 64.4%
Description
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.
How to fix CVE-2015-3253
To remediate CVE-2015-3253, upgrade the affected package to a fixed version below.
- Debian/groovy—upgrade to 2.4.6-1 or later
- —upgrade to 1.7.0-4+deb6u1 or later
- —upgrade to 2.4.4 or later
- —upgrade to 2.4.4 or later
Is CVE-2015-3253 being exploited?
Likely — EPSS is 64.4%, placing CVE-2015-3253 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (4)
- from 0, < 2.4.6-1
- from 0, < 1.7.0-4+deb6u1
- >= 1.7.0, < 2.4.4
- >= 1.7.0, < 2.4.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |