Arbitrary Code Execution during Deserialization Affecting org.apache-extras.beanshell:bsh package, versions [2.0b5,2.0b6)


0.0
high
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    High

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGAPACHEEXTRASBEANSHELL-30000

  • published

    22 Feb 2016

  • disclosed

    22 Feb 2016

  • credit

    Alvaro Munoz, Christian Schneider

How to fix?

Upgrade org.apache-extras.beanshell:bsh to version 2.0b6 or higher.

Overview

org.apache-extras.beanshell:bsh is a Java source interpreter with object scripting language features, written in Java.

Affected versions of this package are vulnerable to Arbitrary Code Execution during Deserialization. When included on the classpat by an application that uses Java serialization or XStream, A remote attacker could execute arbitrary code via crafted serialized data, related to XThis.Handler.