CVE-2015-4852 (High) detected in commons-collections-3.2.jar

Question

CVE-2015-4852 (High) detected in commons-collections-3.2.jar

Closed this issue 5 years ago · 0 comments

mend-bolt-for-github commented 5 years ago

CVE-2015-4852 - High Severity Vulnerability

Vulnerable Library - commons-collections-3.2.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://jakarta.apache.org/commons/collections/

Path to dependency file: /tmp/ws-scm/robotframework-httprequestlibrary/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar

Dependency Hierarchy:

javalib-core-1.2.1.jar (Root Library)
- ❌ commons-collections-3.2.jar (Vulnerable Library)

Found in HEAD commit: 329644a75da0d24042c61972ed10d496db9829c4

Vulnerability Details

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

Publish Date: 2015-11-18

URL: CVE-2015-4852

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2015/11/17/19

Release Date: 2015-11-18

Fix Resolution: commons-collections:commons-collections:3.2.2

Step up your Open Source Security Game with WhiteSource here