Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2015-3253

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

Published

2015-08-13T14:59:02.377

Last Modified

2025-04-12T10:46:40.837

Status

Deferred

Source

[email protected]

Severity

CVSSv3.0: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Primary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	groovy	1.7.0	Yes
Application	apache	groovy	1.7.0	Yes
Application	apache	groovy	1.7.0	Yes
Application	apache	groovy	1.7.0	Yes
Application	apache	groovy	1.7.0	Yes
Application	apache	groovy	1.7.1	Yes
Application	apache	groovy	1.7.2	Yes
Application	apache	groovy	1.7.3	Yes
Application	apache	groovy	1.7.4	Yes
Application	apache	groovy	1.7.5	Yes
Application	apache	groovy	1.7.6	Yes
Application	apache	groovy	1.7.7	Yes
Application	apache	groovy	1.7.8	Yes
Application	apache	groovy	1.7.9	Yes
Application	apache	groovy	1.7.10	Yes
Application	apache	groovy	1.7.11	Yes
Application	apache	groovy	1.8.0	Yes
Application	apache	groovy	1.8.0	Yes
Application	apache	groovy	1.8.0	Yes
Application	apache	groovy	1.8.0	Yes
Application	apache	groovy	1.8.0	Yes
Application	apache	groovy	1.8.0	Yes
Application	apache	groovy	1.8.0	Yes
Application	apache	groovy	1.8.0	Yes
Application	apache	groovy	1.8.0	Yes
Application	apache	groovy	1.8.1	Yes
Application	apache	groovy	1.8.2	Yes
Application	apache	groovy	1.8.3	Yes
Application	apache	groovy	1.8.4	Yes
Application	apache	groovy	1.8.5	Yes
Application	apache	groovy	1.8.6	Yes
Application	apache	groovy	1.8.7	Yes
Application	apache	groovy	1.8.8	Yes
Application	apache	groovy	1.8.9	Yes
Application	apache	groovy	1.9.0	Yes
Application	apache	groovy	1.9.0	Yes
Application	apache	groovy	1.9.0	Yes
Application	apache	groovy	1.9.0	Yes
Application	apache	groovy	2.0.0	Yes
Application	apache	groovy	2.0.0	Yes
Application	apache	groovy	2.0.0	Yes
Application	apache	groovy	2.0.0	Yes
Application	apache	groovy	2.0.0	Yes
Application	apache	groovy	2.0.0	Yes
Application	apache	groovy	2.0.0	Yes
Application	apache	groovy	2.0.0	Yes
Application	apache	groovy	2.0.1	Yes
Application	apache	groovy	2.0.2	Yes
Application	apache	groovy	2.0.3	Yes
Application	apache	groovy	2.0.4	Yes
Application	apache	groovy	2.0.5	Yes
Application	apache	groovy	2.0.6	Yes
Application	apache	groovy	2.0.7	Yes
Application	apache	groovy	2.0.8	Yes
Application	apache	groovy	2.1.0	Yes
Application	apache	groovy	2.1.0	Yes
Application	apache	groovy	2.1.0	Yes
Application	apache	groovy	2.1.0	Yes
Application	apache	groovy	2.1.0	Yes
Application	apache	groovy	2.1.1	Yes
Application	apache	groovy	2.1.2	Yes
Application	apache	groovy	2.1.3	Yes
Application	apache	groovy	2.1.4	Yes
Application	apache	groovy	2.1.5	Yes
Application	apache	groovy	2.1.6	Yes
Application	apache	groovy	2.1.7	Yes
Application	apache	groovy	2.1.8	Yes
Application	apache	groovy	2.1.9	Yes
Application	apache	groovy	2.2.0	Yes
Application	apache	groovy	2.2.0	Yes
Application	apache	groovy	2.2.0	Yes
Application	apache	groovy	2.2.0	Yes
Application	apache	groovy	2.2.0	Yes
Application	apache	groovy	2.2.0	Yes
Application	apache	groovy	2.2.1	Yes
Application	apache	groovy	2.2.2	Yes
Application	apache	groovy	2.3.0	Yes
Application	apache	groovy	2.3.0	Yes
Application	apache	groovy	2.3.0	Yes
Application	apache	groovy	2.3.0	Yes
Application	apache	groovy	2.3.0	Yes
Application	apache	groovy	2.3.0	Yes
Application	apache	groovy	2.3.1	Yes
Application	apache	groovy	2.3.2	Yes
Application	apache	groovy	2.3.3	Yes
Application	apache	groovy	2.3.4	Yes
Application	apache	groovy	2.3.5	Yes
Application	apache	groovy	2.3.6	Yes
Application	apache	groovy	2.3.7	Yes
Application	apache	groovy	2.3.8	Yes
Application	apache	groovy	2.3.9	Yes
Application	apache	groovy	2.3.10	Yes
Application	apache	groovy	2.3.11	Yes
Application	apache	groovy	2.4.0	Yes
Application	apache	groovy	2.4.0	Yes
Application	apache	groovy	2.4.0	Yes
Application	apache	groovy	2.4.0	Yes
Application	apache	groovy	2.4.0	Yes
Application	apache	groovy	2.4.0	Yes
Application	apache	groovy	2.4.0	Yes
Application	apache	groovy	2.4.1	Yes
Application	apache	groovy	2.4.2	Yes
Application	apache	groovy	2.4.3	Yes
Application	oracle	health_sciences_clinical_development_center	3.1.1	Yes
Application	oracle	health_sciences_clinical_development_center	3.1.2	Yes
Application	oracle	retail_order_broker_cloud_service	4.1	Yes
Application	oracle	retail_order_broker_cloud_service	5.1	Yes
Application	oracle	retail_order_broker_cloud_service	5.2	Yes
Application	oracle	retail_order_broker_cloud_service	15.0	Yes
Application	oracle	retail_service_backbone	13.0	Yes
Application	oracle	retail_service_backbone	13.1	Yes
Application	oracle	retail_service_backbone	13.2	Yes
Application	oracle	retail_service_backbone	14.0	Yes
Application	oracle	retail_service_backbone	14.1	Yes
Application	oracle	retail_service_backbone	15.0	Yes
Application	oracle	retail_store_inventory_management	13.2	Yes
Application	oracle	retail_store_inventory_management	14.0	Yes
Application	oracle	retail_store_inventory_management	14.1	Yes
Application	oracle	webcenter_sites	11.1.1.8.0	Yes
Application	oracle	webcenter_sites	12.2.1	Yes

References

http://groovy-lang.org/security.html Vendor Advisory ([email protected])
http://packetstormsecurity.com/files/132714/Apache-Groovy-2.4.3-Code-Execution.html Mitigation, Third Party Advisory, VDB Entry ([email protected])
http://rhn.redhat.com/errata/RHSA-2016-0066.html ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html Patch, Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html Patch, Third Party Advisory ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html ([email protected])
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html ([email protected])
http://www.securityfocus.com/archive/1/536012/100/0/threaded ([email protected])
http://www.securityfocus.com/bid/75919 Third Party Advisory, VDB Entry ([email protected])
http://www.securityfocus.com/bid/91787 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1034815 ([email protected])
http://www.zerodayinitiative.com/advisories/ZDI-15-365/ Third Party Advisory, VDB Entry ([email protected])
https://access.redhat.com/errata/RHSA-2016:1376 ([email protected])
https://access.redhat.com/errata/RHSA-2017:2486 ([email protected])
https://access.redhat.com/errata/RHSA-2017:2596 ([email protected])
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755 ([email protected])
https://lists.apache.org/thread.html/rbb8e16cc5acab183124572b655bdf5fe1d5b5f477dc267352426c7ed%40%3Cnotifications.shardingsphere.apache.org%3E ([email protected])
https://security.gentoo.org/glsa/201610-01 ([email protected])
https://security.netapp.com/advisory/ntap-20160623-0001/ ([email protected])
https://www.oracle.com/security-alerts/cpuapr2020.html ([email protected])
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html ([email protected])
http://groovy-lang.org/security.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/132714/Apache-Groovy-2.4.3-Code-Execution.html Mitigation, Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2016-0066.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/536012/100/0/threaded (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/75919 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/91787 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1034815 (af854a3a-2127-422b-91ae-364da2661108)
http://www.zerodayinitiative.com/advisories/ZDI-15-365/ Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2016:1376 (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:2486 (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2017:2596 (af854a3a-2127-422b-91ae-364da2661108)
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755 (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rbb8e16cc5acab183124572b655bdf5fe1d5b5f477dc267352426c7ed%40%3Cnotifications.shardingsphere.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/201610-01 (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20160623-0001/ (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2020.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html (af854a3a-2127-422b-91ae-364da2661108)