CVE-2016-6814

NameCVE-2016-6814
DescriptionWhen an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-794-1
NVD severityhigh
Debian Bugs851408

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
groovy (PTS)stretch2.4.8-1fixed
buster2.4.16-2fixed
bullseye, sid2.4.17-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
groovysourcewheezy1.8.6-1+deb7u2DLA-794-1
groovysourcejessie1.8.6-4+deb8u2
groovysource(unstable)2.4.8-1851408
groovy2sourcejessie2.2.2+dfsg-3+deb8u2
groovy2source(unstable)(unfixed)

Search for package or bug name: Reporting problems