Brandon Kite created VALIDATOR-383:
--------------------------------------
Summary: Commons-collections object deserialization remote command
execution vulnerability
Key: VALIDATOR-383
URL: https://issues.apache.org/jira/browse/VALIDATOR-383
Project: Commons Validator
Issue Type: Bug
Affects Versions: 1.4.1 Release
Reporter: Brandon Kite
I copied this issue from a different project since it also impacts
commons-validator.
Read:
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
TL;DR: If you have commons-collections on your classpath and accept and process
Java object serialization data, then you probably have an exploitable remote
command execution vulnerability.
The Commons Collection dependency should be upgraded to the latest version
(4.1) to remediate this vulnerability.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)