Skip to content

Insecure Deserialization in Apache Commons Collection

High severity GitHub Reviewed Published Jun 15, 2020 to the GitHub Advisory Database • Updated Jun 12, 2023

Package

maven commons-collections:commons-collections (Maven)

Affected versions

< 3.2.2

Patched versions

3.2.2
maven net.sourceforge.collections:collections-generic (Maven)
<= 4.0.1
None
maven org.apache.commons:commons-collections4 (Maven)
< 4.1
4.1
maven org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic (Maven)
<= 4.01
None
maven org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections (Maven)
<= 3.2.1
None

Description

Serialized-object interfaces in Java applications using the Apache Commons Collections (ACC) library may allow remote attackers to execute arbitrary commands via a crafted serialized Java object.

References

Published by the National Vulnerability Database Dec 15, 2015
Reviewed Jun 11, 2020
Published to the GitHub Advisory Database Jun 15, 2020
Last updated Jun 12, 2023

Severity

High

EPSS score

0.880%
(83rd percentile)

Weaknesses

CVE ID

CVE-2015-6420

GHSA ID

GHSA-6hgm-866r-3cjv

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.