CVE-2015-3253

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2015-3253
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://groovy-lang.org/security.html Vendor Advisory
http://packetstormsecurity.com/files/132714/Apache-Groovy-2.4.3-Code-Execution.html Mitigation Third Party Advisory VDB Entry
http://rhn.redhat.com/errata/RHSA-2016-0066.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html Patch Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html Patch Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.securityfocus.com/archive/1/536012/100/0/threaded
http://www.securityfocus.com/bid/75919 Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/91787 Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1034815
http://www.zerodayinitiative.com/advisories/ZDI-15-365/ Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2016:1376
https://access.redhat.com/errata/RHSA-2017:2486
https://access.redhat.com/errata/RHSA-2017:2596
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
https://lists.apache.org/thread.html/rbb8e16cc5acab183124572b655bdf5fe1d5b5f477dc267352426c7ed%40%3Cnotifications.shardingsphere.apache.org%3E
https://security.gentoo.org/glsa/201610-01
https://security.netapp.com/advisory/ntap-20160623-0001/
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:groovy:1.7.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.0:beta_1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.0:beta_2:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.0:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.7.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.0:beta_1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.0:beta_2:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.0:beta_3:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.0:beta_4:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.0:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.0:rc3:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.0:rc4:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.8.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.9.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.9.0:beta_1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.9.0:beta_3:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:1.9.0:beta_4:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.0:beta_1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.0:beta_2:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.0:beta_3:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.0:rc4:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.1.0:beta_1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.1.0:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.1.0:rc3:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.1.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.1.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.1.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.1.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.1.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.1.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.2.0:beta_1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.2.0:beta_2:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.2.0:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.2.0:rc3:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.0:beta_1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.0:beta_2:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.0:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.0:rc3:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.3.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.4.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.4.0:beta_1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.4.0:beta_2:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.4.0:beta_3:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.4.0:beta_4:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.4.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.4.0:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:groovy:2.4.3:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:oracle:health_sciences_clinical_development_center:3.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:health_sciences_clinical_development_center:3.1.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker_cloud_service:4.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker_cloud_service:5.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker_cloud_service:5.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker_cloud_service:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:13.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:13.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:13.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:14.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_store_inventory_management:13.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_store_inventory_management:14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_store_inventory_management:14.1:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_sites:12.2.1:*:*:*:*:*:*:*
History

07 Nov 2023, 02:25

Type Values Removed Values Added
References
  • {'url': 'https://lists.apache.org/thread.html/rbb8e16cc5acab183124572b655bdf5fe1d5b5f477dc267352426c7ed@%3Cnotifications.shardingsphere.apache.org%3E', 'name': '[shardingsphere-notifications] 20200623 [GitHub] [shardingsphere] liuqiankun93 opened a new issue #6180: The groovy-2.4.5-indy.jar has High-level security risks', 'tags': [], 'refsource': 'MLIST'}
  • () https://lists.apache.org/thread.html/rbb8e16cc5acab183124572b655bdf5fe1d5b5f477dc267352426c7ed%40%3Cnotifications.shardingsphere.apache.org%3E -
Information

Published : 2015-08-13 14:59

Updated : 2023-12-10 11:46

NVD link : CVE-2015-3253

Mitre link : CVE-2015-3253

CVE.ORG link : CVE-2015-3253

JSON object : View

Products Affected

oracle

  • retail_store_inventory_management
  • retail_service_backbone
  • health_sciences_clinical_development_center
  • webcenter_sites
  • retail_order_broker_cloud_service

apache

  • groovy
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')