Description

It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.

Remediation

Upgrade to the latest version of JBoss.

References

CVE-2015-7501

Related Vulnerabilities

.NET JSON.NET Deserialization RCE

MobileIron Log4Shell RCE

Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496)

Drupal Core 8.6.x Remote Code Execution (8.6.0 - 8.6.9)

Remote code execution of user-provided local names in Rails

Severity

High

Classification

CVE-2015-7501 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Acumonitor