VDB
CVE-2016-6814
CVE-2016-6814
PUBLISHED
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
EPSS 24.31% · 96.2th percentile
Risk Scores
EPSS Score
24.31%
96.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:16.04:LTS | groovy2 | 0, 2.4.3+dfsg-2ubuntu1, 2.4.5-1 |
| Ubuntu:16.04:LTS | groovy | 0, 2.0.0~beta2+isreally1.8.6-4ubuntu1 |
Exploit Intelligence
- ianxtianxt/CVE-2016-8735 (github-poc)
- ianxtianxt/CVE-2016-8735 (github-poc)
- ianxtianxt/CVE-2016-8735 (github-poc)
- ianxtianxt/CVE-2016-8735 (github-poc)
- ianxtianxt/CVE-2016-8735 (github-poc)
- ianxtianxt/CVE-2016-8735 (github-poc)
Timeline
- Oct 18, 2017 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 7, 2023 EPSS Score
- May 8, 2023 EPSS Score
- Nov 3, 2023 EPSS Score
- Nov 28, 2023 EPSS Score
- Dec 29, 2023 EPSS Score
- Aug 18, 2024 EPSS Score
- Dec 17, 2024 EPSS Score
- Jan 30, 2025 EPSS Score
- Mar 17, 2025 EPSS Score
- Mar 27, 2025 EPSS Score
References
- https://ubuntu.com/security/CVE-2016-6814 third-party-advisory
- http://www.openwall.com/lists/oss-security/2017/01/14/3 third-party-advisory
- https://ubuntu.com/security/notices/USN-4795-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2016-6814 third-party-advisory