CVE-2015-3253

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name	Vendor	Start Version	End Version
Groovy	Apache	1.7.0 (including)	1.7.0 (including)
Groovy	Apache	1.7.0-beta_1 (including)	1.7.0-beta_1 (including)
Groovy	Apache	1.7.0-beta_2 (including)	1.7.0-beta_2 (including)
Groovy	Apache	1.7.0-rc1 (including)	1.7.0-rc1 (including)
Groovy	Apache	1.7.0-rc2 (including)	1.7.0-rc2 (including)
Groovy	Apache	1.7.1 (including)	1.7.1 (including)
Groovy	Apache	1.7.2 (including)	1.7.2 (including)
Groovy	Apache	1.7.3 (including)	1.7.3 (including)
Groovy	Apache	1.7.4 (including)	1.7.4 (including)
Groovy	Apache	1.7.5 (including)	1.7.5 (including)
Groovy	Apache	1.7.6 (including)	1.7.6 (including)
Groovy	Apache	1.7.7 (including)	1.7.7 (including)
Groovy	Apache	1.7.8 (including)	1.7.8 (including)
Groovy	Apache	1.7.9 (including)	1.7.9 (including)
Groovy	Apache	1.7.10 (including)	1.7.10 (including)
Groovy	Apache	1.7.11 (including)	1.7.11 (including)
Groovy	Apache	1.8.0 (including)	1.8.0 (including)
Groovy	Apache	1.8.0-beta_1 (including)	1.8.0-beta_1 (including)
Groovy	Apache	1.8.0-beta_2 (including)	1.8.0-beta_2 (including)
Groovy	Apache	1.8.0-beta_3 (including)	1.8.0-beta_3 (including)
Groovy	Apache	1.8.0-beta_4 (including)	1.8.0-beta_4 (including)
Groovy	Apache	1.8.0-rc1 (including)	1.8.0-rc1 (including)
Groovy	Apache	1.8.0-rc2 (including)	1.8.0-rc2 (including)
Groovy	Apache	1.8.0-rc3 (including)	1.8.0-rc3 (including)
Groovy	Apache	1.8.0-rc4 (including)	1.8.0-rc4 (including)
Groovy	Apache	1.8.1 (including)	1.8.1 (including)
Groovy	Apache	1.8.2 (including)	1.8.2 (including)
Groovy	Apache	1.8.3 (including)	1.8.3 (including)
Groovy	Apache	1.8.4 (including)	1.8.4 (including)
Groovy	Apache	1.8.5 (including)	1.8.5 (including)
Groovy	Apache	1.8.6 (including)	1.8.6 (including)
Groovy	Apache	1.8.7 (including)	1.8.7 (including)
Groovy	Apache	1.8.8 (including)	1.8.8 (including)
Groovy	Apache	1.8.9 (including)	1.8.9 (including)
Groovy	Apache	1.9.0 (including)	1.9.0 (including)
Groovy	Apache	1.9.0-beta_1 (including)	1.9.0-beta_1 (including)
Groovy	Apache	1.9.0-beta_3 (including)	1.9.0-beta_3 (including)
Groovy	Apache	1.9.0-beta_4 (including)	1.9.0-beta_4 (including)
Groovy	Apache	2.0.0 (including)	2.0.0 (including)
Groovy	Apache	2.0.0-beta_1 (including)	2.0.0-beta_1 (including)
Groovy	Apache	2.0.0-beta_2 (including)	2.0.0-beta_2 (including)
Groovy	Apache	2.0.0-beta_3 (including)	2.0.0-beta_3 (including)
Groovy	Apache	2.0.0-rc1 (including)	2.0.0-rc1 (including)
Groovy	Apache	2.0.0-rc2 (including)	2.0.0-rc2 (including)
Groovy	Apache	2.0.0-rc3 (including)	2.0.0-rc3 (including)
Groovy	Apache	2.0.0-rc4 (including)	2.0.0-rc4 (including)
Groovy	Apache	2.0.1 (including)	2.0.1 (including)
Groovy	Apache	2.0.2 (including)	2.0.2 (including)
Groovy	Apache	2.0.3 (including)	2.0.3 (including)
Groovy	Apache	2.0.4 (including)	2.0.4 (including)
Groovy	Apache	2.0.5 (including)	2.0.5 (including)
Groovy	Apache	2.0.6 (including)	2.0.6 (including)
Groovy	Apache	2.0.7 (including)	2.0.7 (including)
Groovy	Apache	2.0.8 (including)	2.0.8 (including)
Groovy	Apache	2.1.0 (including)	2.1.0 (including)
Groovy	Apache	2.1.0-beta_1 (including)	2.1.0-beta_1 (including)
Groovy	Apache	2.1.0-rc1 (including)	2.1.0-rc1 (including)
Groovy	Apache	2.1.0-rc2 (including)	2.1.0-rc2 (including)
Groovy	Apache	2.1.0-rc3 (including)	2.1.0-rc3 (including)
Groovy	Apache	2.1.1 (including)	2.1.1 (including)
Groovy	Apache	2.1.2 (including)	2.1.2 (including)
Groovy	Apache	2.1.3 (including)	2.1.3 (including)
Groovy	Apache	2.1.4 (including)	2.1.4 (including)
Groovy	Apache	2.1.5 (including)	2.1.5 (including)
Groovy	Apache	2.1.6 (including)	2.1.6 (including)
Groovy	Apache	2.1.7 (including)	2.1.7 (including)
Groovy	Apache	2.1.8 (including)	2.1.8 (including)
Groovy	Apache	2.1.9 (including)	2.1.9 (including)
Groovy	Apache	2.2.0 (including)	2.2.0 (including)
Groovy	Apache	2.2.0-beta_1 (including)	2.2.0-beta_1 (including)
Groovy	Apache	2.2.0-beta_2 (including)	2.2.0-beta_2 (including)
Groovy	Apache	2.2.0-rc1 (including)	2.2.0-rc1 (including)
Groovy	Apache	2.2.0-rc2 (including)	2.2.0-rc2 (including)
Groovy	Apache	2.2.0-rc3 (including)	2.2.0-rc3 (including)
Groovy	Apache	2.2.1 (including)	2.2.1 (including)
Groovy	Apache	2.2.2 (including)	2.2.2 (including)
Groovy	Apache	2.3.0 (including)	2.3.0 (including)
Groovy	Apache	2.3.0-beta_1 (including)	2.3.0-beta_1 (including)
Groovy	Apache	2.3.0-beta_2 (including)	2.3.0-beta_2 (including)
Groovy	Apache	2.3.0-rc1 (including)	2.3.0-rc1 (including)
Groovy	Apache	2.3.0-rc2 (including)	2.3.0-rc2 (including)
Groovy	Apache	2.3.0-rc3 (including)	2.3.0-rc3 (including)
Groovy	Apache	2.3.1 (including)	2.3.1 (including)
Groovy	Apache	2.3.2 (including)	2.3.2 (including)
Groovy	Apache	2.3.3 (including)	2.3.3 (including)
Groovy	Apache	2.3.4 (including)	2.3.4 (including)
Groovy	Apache	2.3.5 (including)	2.3.5 (including)
Groovy	Apache	2.3.6 (including)	2.3.6 (including)
Groovy	Apache	2.3.7 (including)	2.3.7 (including)
Groovy	Apache	2.3.8 (including)	2.3.8 (including)
Groovy	Apache	2.3.9 (including)	2.3.9 (including)
Groovy	Apache	2.3.10 (including)	2.3.10 (including)
Groovy	Apache	2.3.11 (including)	2.3.11 (including)
Groovy	Apache	2.4.0 (including)	2.4.0 (including)
Groovy	Apache	2.4.0-beta_1 (including)	2.4.0-beta_1 (including)
Groovy	Apache	2.4.0-beta_2 (including)	2.4.0-beta_2 (including)
Groovy	Apache	2.4.0-beta_3 (including)	2.4.0-beta_3 (including)
Groovy	Apache	2.4.0-beta_4 (including)	2.4.0-beta_4 (including)
Groovy	Apache	2.4.0-rc1 (including)	2.4.0-rc1 (including)
Groovy	Apache	2.4.0-rc2 (including)	2.4.0-rc2 (including)
Groovy	Apache	2.4.1 (including)	2.4.1 (including)
Groovy	Apache	2.4.2 (including)	2.4.2 (including)
Groovy	Apache	2.4.3 (including)	2.4.3 (including)
Red Hat Enterprise Linux 7	RedHat	groovy-0:1.8.9-8.el7_4	*
Red Hat JBoss A-MQ 6.2	RedHat		*
Red Hat JBoss Data Virtualization 6.2	RedHat	groovy-all	*
Red Hat JBoss Fuse 6.2	RedHat		*
Red Hat JBoss Fuse Service Works 6.2	RedHat		*
Red Hat JBoss Operations Network 3.3	RedHat	groovy-all	*
Red Hat JBoss SOA Platform 5.3	RedHat	grovy-all	*
Red Hat Software Collections for Red Hat Enterprise Linux 6	RedHat	rh-maven33-groovy-0:1.8.9-7.19.el6	*
Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS	RedHat	rh-maven33-groovy-0:1.8.9-7.19.el6	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	rh-maven33-groovy-0:1.8.9-7.19.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS	RedHat	rh-maven33-groovy-0:1.8.9-7.19.el7	*
Groovy	Ubuntu	artful	*
Groovy	Ubuntu	esm-apps/xenial	*
Groovy	Ubuntu	precise	*
Groovy	Ubuntu	trusty	*
Groovy	Ubuntu	upstream	*
Groovy	Ubuntu	vivid	*
Groovy	Ubuntu	wily	*
Groovy	Ubuntu	xenial	*
Groovy	Ubuntu	yakkety	*
Groovy	Ubuntu	zesty	*
Groovy2	Ubuntu	upstream	*
Groovy2	Ubuntu	vivid	*
Groovy2	Ubuntu	wily	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2015-3253
CWE	https://cwe.mitre.org/data/definitions/74.html

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Weakness

Affected Software

Potential Mitigations

References

CVE-2015-3253

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References