CVE-2016-6814

NameCVE-2016-6814
DescriptionWhen an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-794-1
NVD severityhigh (attack range: remote)
Debian Bugs851408

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
groovy (PTS)jessie1.8.6-4+deb8u2fixed
stretch2.4.8-1fixed
buster, sid2.4.15-3fixed
groovy2 (PTS)jessie2.2.2+dfsg-3+deb8u2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
groovysource(unstable)2.4.8-1high851408
groovysourcejessie1.8.6-4+deb8u2high
groovysourcewheezy1.8.6-1+deb7u2highDLA-794-1
groovy2source(unstable)(unfixed)high
groovy2sourcejessie2.2.2+dfsg-3+deb8u2high

Search for package or bug name: Reporting problems