Arbitrary Code Execution during Deserialization Affecting org.beanshell:bsh package, versions [0,]


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
10.07% (95th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution during Deserialization vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGBEANSHELL-72452
  • published22 Feb 2016
  • disclosed22 Feb 2016
  • creditAlvaro Munoz, Christian Schneider

Introduced: 22 Feb 2016

CVE-2016-2510  (opens in a new tab)
CWE-502  (opens in a new tab)

How to fix?

There is no fixed version for org.beanshell:bsh.

Overview

org.beanshell:bsh is a Java source interpreter with object scripting language features, written in Java.

Affected versions of this package are vulnerable to Arbitrary Code Execution during Deserialization. When included on the classpat by an application that uses Java serialization or XStream, A remote attacker could execute arbitrary code via crafted serialized data, related to XThis.Handler.

CVSS Scores

version 3.1