CVE-2016-4000 — jython - security update · VulnScope

CVE-2016-4000

jython - security update

9.8

CRITICAL

CVSS 3.1

EPSS 12.5%

Description

Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object.

How to fix CVE-2016-4000

To remediate CVE-2016-4000, upgrade the affected package to a fixed version below.

Debian/jython—upgrade to 2.5.3-17 or later
Debian/jython—upgrade to 2.5.2-1+deb7u1 or later
—upgrade to 2.5.3-3+deb8u1 or later
—upgrade to 2.7.1-rc1 or later
—upgrade to 2.7.1 or later

Is CVE-2016-4000 being exploited?

Moderate — EPSS is 12.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

from 0, < 2.5.3-17
from 0, < 2.5.2-1+deb7u1
from 0, < 2.5.3-3+deb8u1
from 0, < 2.7.1-rc1
from 0, < 2.7.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (17)