CVE-2016-6814
Deserialization of Untrusted Data in Groovy
9.8
CRITICAL
CVSS 3.1
EPSS 24.3%
Description
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
How to fix CVE-2016-6814
To remediate CVE-2016-6814, upgrade the affected package to a fixed version below.
- —upgrade to 2.4.8-1 or later
- —upgrade to 1.8.6-1+deb7u2 or later
- —upgrade to 2.4.8 or later
- —upgrade to 2.4.8 or later
Is CVE-2016-6814 being exploited?
Moderate — EPSS is 24.3%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (4)
- from 0, < 2.4.8-1
- from 0, < 1.8.6-1+deb7u2
- >= 1.7.0, < 2.4.8
- >= 1.7.0, < 2.4.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |