Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

Upgrade Apache Commons Collections to v3.2.2#1

Open
gmlewis wants to merge 1 commit into
xcjava:masterxcjava/shallot-lib:masterfrom
gmlewis:masterCopy head branch name to clipboard
Open

Upgrade Apache Commons Collections to v3.2.2#1
gmlewis wants to merge 1 commit into
xcjava:masterxcjava/shallot-lib:masterfrom
gmlewis:masterCopy head branch name to clipboard

Conversation

@gmlewis

@gmlewis gmlewis commented Mar 9, 2016

Copy link
Copy Markdown

Version 3.2.1 has a CVSS 10.0 vulnerability. That is the worst kind of
vulnerability that exists. By merely existing on the classpath, this
library causes the Java serialization parser for the entire JVM process
to go from being a state machine to a turing machine. A turing machine
with an exec() function!

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103
https://commons.apache.org/proper/commons-collections/security-reports.html
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant

Morty Proxy This is a proxified and sanitized view of the page, visit original site.