[ { "created": "2017-11-17T00:00:00.910Z", "cves": [ { "cve": "CVE-2015-8765", "cvss_v2": "7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P", "cwe": [ "NVD-CWE-Other" ] } ], "description": "Intel McAfee ePolicy Orchestrator (ePO) 4.6.9 and earlier, 5.0.x, 5.1.x before 5.1.3 Hotfix 1106041, and 5.3.x before 5.3.1 Hotfix 1106041 allow remote attackers to execute arbitrary code via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar", ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "Intel McAfee ePolicy Orchestrator (ePO) 4.6.9 and earlier, 5.0.x, 5.1.x before 5.1.3 Hotfix 1106041, and 5.3.x before 5.3.1 Hotfix 1106041 allow remote attackers to execute arbitrary code via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library." }, { "created": "2017-11-17T00:00:00.604Z", "cves": [ { "cve": "CVE-2016-1999", "cvss_v2": "10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C", "cwe": [ "CWE-284" ] } ], "description": "The server in HP Release Control 9.13, 9.20, and 9.21 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "The server in HP Release Control 9.13, 9.20, and 9.21 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library." }, { "created": "2017-07-05T00:00:00.494Z", "cves": [ { "cve": "CVE-2016-2510", "cvss_v2": "6.8/CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:P", "cvss_v3": "8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "cwe": [ "CWE-19" ] } ], "description": "BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.", "impact_path": [ "opt/apache-jmeter-5.0/lib/bsh-2.0b6.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Minor", "summary": "BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler." }, { "created": "2017-11-17T00:00:00.329Z", "cves": [ { "cve": "CVE-2016-4385", "cvss_v2": "7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P", "cwe": [ "CWE-502" ] } ], "description": "The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils libraries.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils libraries." }, { "created": "2017-11-17T00:00:00.704Z", "cves": [ { "cve": "CVE-2016-1997", "cvss_v2": "10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C", "cwe": [ "CWE-20" ] } ], "description": "HPE Operations Orchestration 10.x before 10.51 and Operations Orchestration content before 1.7.0 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "HPE Operations Orchestration 10.x before 10.51 and Operations Orchestration content before 1.7.0 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library." }, { "created": "2017-11-17T00:00:00.558Z", "cves": [ { "cve": "CVE-2016-2000", "cvss_v2": "7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P", "cwe": [ "CWE-19" ] } ], "description": "HPE Asset Manager 9.40, 9.41, and 9.50 and Asset Manager CloudSystem Chargeback 9.40 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "HPE Asset Manager 9.40, 9.41, and 9.50 and Asset Manager CloudSystem Chargeback 9.40 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library." }, { "created": "2017-11-17T00:00:00.011Z", "cves": [ { "cve": "CVE-2015-6934", "cvss_v2": "7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P", "cwe": [ "CWE-20" ] } ], "description": "Serialized-object interfaces in VMware vRealize Orchestrator 6.x, vCenter Orchestrator 5.x, vRealize Operations 6.x, vCenter Operations 5.x, and vCenter Application Discovery Manager (vADM) 7.x allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "Serialized-object interfaces in VMware vRealize Orchestrator 6.x, vCenter Orchestrator 5.x, vRealize Operations 6.x, vCenter Operations 5.x, and vCenter Application Discovery Manager (vADM) 7.x allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library." }, { "created": "2017-11-17T00:00:00.451Z", "cves": [ { "cve": "CVE-2016-2009", "cvss_v2": "6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P", "cwe": [ "CWE-284" ] } ], "description": "HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 10.01 allows remote authenticated users to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Minor", "summary": "HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 10.01 allows remote authenticated users to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library." }, { "created": "2017-11-17T00:00:00.769Z", "cves": [ { "cve": "CVE-2016-1986", "cvss_v2": "7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P", "cwe": [ "CWE-94" ] } ], "description": "HP Continuous Delivery Automation (CDA) 1.30 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "HP Continuous Delivery Automation (CDA) 1.30 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library." }, { "created": "2017-11-19T00:00:00.124Z", "cves": [ { "cve": "CVE-2016-4369", "cvss_v2": "6.5/AV:N/AC:L/Au:S/C:P/I:P/A:P", "cwe": [ "CWE-284" ] } ], "description": "HPE Discovery and Dependency Mapping Inventory (DDMi) 9.30, 9.31, 9.32, 9.32 update 1, 9.32 update 2, and 9.32 update 3 allows remote authenticated users to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Minor", "summary": "HPE Discovery and Dependency Mapping Inventory (DDMi) 9.30, 9.31, 9.32, 9.32 update 1, 9.32 update 2, and 9.32 update 3 allows remote authenticated users to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library." }, { "created": "2017-11-17T00:00:00.967Z", "cves": [ { "cve": "CVE-2015-7450", "cvss_v2": "10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C", "cwe": [ "CWE-94" ] } ], "description": "Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library." }, { "created": "2017-12-12T00:00:00.280Z", "cves": [ { "cve": "CVE-2012-0881", "cvss_v2": "7.8/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", "cvss_v3": "7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cwe": [ "CWE-399" ] } ], "description": "Apache Xerces2 Java allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.", "impact_path": [ "opt/apache-jmeter-5.0/lib/xercesImpl-2.11.0.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "Apache Xerces2 Java allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions." }, { "created": "2017-11-17T00:00:00.388Z", "cves": [ { "cve": "CVE-2016-4373", "cvss_v2": "7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P", "cwe": [ "CWE-284" ] } ], "description": "The AdminUI in HPE Operations Manager (OM) before 9.21.130 on Linux, Unix, and Solaris allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "The AdminUI in HPE Operations Manager (OM) before 9.21.130 on Linux, Unix, and Solaris allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library." }, { "created": "2017-11-17T00:00:00.864Z", "cves": [ { "cve": "CVE-2016-1114", "cvss_v2": "7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P", "cwe": [ "NVD-CWE-Other" ] } ], "description": "Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library." }, { "created": "2017-02-21T00:00:00.160Z", "cves": [ { "cve": "CVE-2011-5034", "cvss_v2": "7.8/CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", "cwe": [ "CWE-20" ] } ], "description": "Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.", "impact_path": [ "opt/apache-jmeter-5.0/lib/geronimo-jms_1.1_spec-1.1.1.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "[CVE-2011-5034] Improper Input Validation" }, { "created": "2017-11-17T00:00:00.819Z", "cves": [ { "cve": "CVE-2016-1985", "cvss_v2": "10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C", "cwe": [ "CWE-94" ] } ], "description": "HPE Operations Manager 8.x and 9.0 on Windows allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "HPE Operations Manager 8.x and 9.0 on Windows allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library." }, { "created": "2017-11-19T00:00:00.169Z", "cves": [ { "cve": "CVE-2016-4368", "cvss_v2": "7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P", "cwe": [ "CWE-20" ] } ], "description": "HPE Universal CMDB 10.0 through 10.21, Universal CMDB Configuration Manager 10.0 through 10.21, and Universal Discovery 10.0 through 10.21 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "HPE Universal CMDB 10.0 through 10.21, Universal CMDB Configuration Manager 10.0 through 10.21, and Universal Discovery 10.0 through 10.21 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library." }, { "created": "2017-07-05T00:00:00.850Z", "cves": [ { "cve": "CVE-2015-6420", "cvss_v2": "7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P", "cwe": [ "NVD-CWE-Other" ] } ], "description": "Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library." }, { "created": "2017-12-12T00:00:00.067Z", "cves": [ { "cve": "CVE-2015-7501", "cvss_v2": "10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C", "cwe": [ "CWE-502" ] } ], "description": "Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library." }, { "created": "2017-11-19T00:00:00.078Z", "cves": [ { "cve": "CVE-2016-4372", "cvss_v2": "7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P", "cwe": [ "CWE-20" ] } ], "description": "HPE iMC PLAT before 7.2 E0403P04, iMC EAD before 7.2 E0405P05, iMC APM before 7.2 E0401P04, iMC NTA before 7.2 E0401P01, iMC BIMS before 7.2 E0402P02, and iMC UAM_TAM before 7.2 E0405P05 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "HPE iMC PLAT before 7.2 E0403P04, iMC EAD before 7.2 E0405P05, iMC APM before 7.2 E0401P04, iMC NTA before 7.2 E0401P01, iMC BIMS before 7.2 E0402P02, and iMC UAM_TAM before 7.2 E0405P05 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library." }, { "created": "2017-11-17T00:00:00.505Z", "cves": [ { "cve": "CVE-2016-2003", "cvss_v2": "7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P" } ], "description": "HPE P9000 Command View Advanced Edition Software (CVAE) 7.x and 8.x before 8.4.0-00 and XP7 CVAE 7.x and 8.x before 8.4.0-00 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "HPE P9000 Command View Advanced Edition Software (CVAE) 7.x and 8.x before 8.4.0-00 and XP7 CVAE 7.x and 8.x before 8.4.0-00 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library." }, { "created": "2017-11-17T00:00:00.653Z", "cves": [ { "cve": "CVE-2016-1998", "cvss_v2": "10.0/AV:N/AC:L/Au:N/C:C/I:C/A:C", "cwe": [ "CWE-20" ] } ], "description": "HPE Service Manager (SM) 9.3x before 9.35 P4 and 9.4x before 9.41.P2 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.", "impact_path": [ "opt/apache-jmeter-5.0/lib/commons-collections-3.2.2.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "HPE Service Manager (SM) 9.3x before 9.35 P4 and 9.4x before 9.41.P2 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library." }, { "created": "2018-04-23T00:00:00.983Z", "cves": [ { "cve": "CVE-2018-8088", "cvss_v2": "7.5/CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", "cvss_v3": "9.8/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cwe": [ "CWE-502" ] } ], "description": "org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.", "impact_path": [ /slf4j-ext-1.7.25.jar", "opt/apache-jmeter-5.0/lib/slf4j-ext-1.7.25.jar" ], "issue_type": "security", "provider": "JFrog", "severity": "Critical", "summary": "org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data." }, { "created": "2018-01-31T00:00:00.188Z", "cves": [ { "cve": "CVE-2013-4002", "cvss_v2": "7.1/CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:N/A:C", "cvss_v3": "6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "cwe": [ "CWE-94", "NVD-CWE-noinfo" ] } ], "description": "Denial of Service (DoS)", "impact_path": [ "opt/apache-jmeter-5.0/lib/xercesImpl-2.11.0.jar" ], "issue_type": "security", "provider": "Snyk Basic", "severity": "Critical", "summary": "Denial of Service (DoS)" } ]