CVE-2015-7501
apache-commons-collections: InvokerTransformer code execution during deserialisation
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x y 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x y 5.x; Enterprise Application Platform 6.x, 5.x y 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x y Red Hat Subscription Asset Manager 1.3 permiten que atacantes remotos ejecuten comandos arbitrarios mediante un objeto Java serializado manipulado. Esto está relacionado con la librerÃa ACC (Apache Commons Collections).
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-09-29 CVE Reserved
- 2015-11-20 CVE Published
- 2020-02-21 First Exploit
- 2024-06-12 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-284: Improper Access Control
- CWE-502: Deserialization of Untrusted Data
CAPEC
References (30)
| URL | Date | SRC |
|---|---|---|
| https://github.com/ianxtianxt/CVE-2015-7501 | 2020-02-21 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Data Grid Search vendor "Redhat" for product "Data Grid" | 6.0.0 Search vendor "Redhat" for product "Data Grid" and version "6.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss A-mq Search vendor "Redhat" for product "Jboss A-mq" | 6.0.0 Search vendor "Redhat" for product "Jboss A-mq" and version "6.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Bpm Suite Search vendor "Redhat" for product "Jboss Bpm Suite" | 6.0.0 Search vendor "Redhat" for product "Jboss Bpm Suite" and version "6.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Data Virtualization Search vendor "Redhat" for product "Jboss Data Virtualization" | 5.0.0 Search vendor "Redhat" for product "Jboss Data Virtualization" and version "5.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Data Virtualization Search vendor "Redhat" for product "Jboss Data Virtualization" | 6.0.0 Search vendor "Redhat" for product "Jboss Data Virtualization" and version "6.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 4.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "4.3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 5.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 6.0.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Brms Platform Search vendor "Redhat" for product "Jboss Enterprise Brms Platform" | 5.0.0 Search vendor "Redhat" for product "Jboss Enterprise Brms Platform" and version "5.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Brms Platform Search vendor "Redhat" for product "Jboss Enterprise Brms Platform" | 6.0.0 Search vendor "Redhat" for product "Jboss Enterprise Brms Platform" and version "6.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Soa Platform Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" | 5.0.0 Search vendor "Redhat" for product "Jboss Enterprise Soa Platform" and version "5.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Web Server Search vendor "Redhat" for product "Jboss Enterprise Web Server" | 3.0.0 Search vendor "Redhat" for product "Jboss Enterprise Web Server" and version "3.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Fuse Search vendor "Redhat" for product "Jboss Fuse" | 6.0.0 Search vendor "Redhat" for product "Jboss Fuse" and version "6.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Fuse Service Works Search vendor "Redhat" for product "Jboss Fuse Service Works" | 6.0 Search vendor "Redhat" for product "Jboss Fuse Service Works" and version "6.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Operations Network Search vendor "Redhat" for product "Jboss Operations Network" | 3.0 Search vendor "Redhat" for product "Jboss Operations Network" and version "3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Portal Search vendor "Redhat" for product "Jboss Portal" | 6.0.0 Search vendor "Redhat" for product "Jboss Portal" and version "6.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Search vendor "Redhat" for product "Openshift" | 3.0 Search vendor "Redhat" for product "Openshift" and version "3.0" | enterprise |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Subscription Asset Manager Search vendor "Redhat" for product "Subscription Asset Manager" | 1.3.0 Search vendor "Redhat" for product "Subscription Asset Manager" and version "1.3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Xpaas Search vendor "Redhat" for product "Xpaas" | 3.0.0 Search vendor "Redhat" for product "Xpaas" and version "3.0.0" | - |
Affected
| ||||||