Vulnerability Details CVE-2016-2510
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.343
EPSS Ranking 96.8%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 6.8
References
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00056.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00078.html
- http://rhn.redhat.com/errata/RHSA-2016-0539.html
- http://rhn.redhat.com/errata/RHSA-2016-0540.html
- http://rhn.redhat.com/errata/RHSA-2016-2035.html
- http://www.debian.org/security/2016/dsa-3504
- http://www.securityfocus.com/bid/84139
- http://www.securitytracker.com/id/1035440
- http://www.ubuntu.com/usn/USN-2923-1
- https://access.redhat.com/errata/RHSA-2016:1135
- https://access.redhat.com/errata/RHSA-2016:1376
- https://access.redhat.com/errata/RHSA-2019:1545
- https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced
- https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49
- https://github.com/beanshell/beanshell/releases/tag/2.0b6
- https://github.com/frohoff/ysoserial/pull/13
- https://security.gentoo.org/glsa/201607-17
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00056.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00078.html
- http://rhn.redhat.com/errata/RHSA-2016-0539.html
- http://rhn.redhat.com/errata/RHSA-2016-0540.html
- http://rhn.redhat.com/errata/RHSA-2016-2035.html
- http://www.debian.org/security/2016/dsa-3504
- http://www.securityfocus.com/bid/84139
- http://www.securitytracker.com/id/1035440
- http://www.ubuntu.com/usn/USN-2923-1
- https://access.redhat.com/errata/RHSA-2016:1135
- https://access.redhat.com/errata/RHSA-2016:1376
- https://access.redhat.com/errata/RHSA-2019:1545
- https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced
- https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49
- https://github.com/beanshell/beanshell/releases/tag/2.0b6
- https://github.com/frohoff/ysoserial/pull/13
- https://security.gentoo.org/glsa/201607-17
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
Products affected by CVE-2016-2510
-
cpe:2.3:a:beanshell:beanshell:1.0
-
cpe:2.3:a:beanshell:beanshell:2.0
-
cpe:2.3:o:canonical:ubuntu_linux:12.04
-
cpe:2.3:o:canonical:ubuntu_linux:14.04
-
cpe:2.3:o:canonical:ubuntu_linux:15.10
-
cpe:2.3:o:debian:debian_linux:7.0
-
cpe:2.3:o:debian:debian_linux:8.0