CVE-2015-6934

HIGH

VMware vRealize Orchestrator 6.x and vCenter Orchestrator 5.x - Remote Code Execution via Deserialization

Title source: llm

Description

Serialized-object interfaces in VMware vRealize Orchestrator 6.x, vCenter Orchestrator 5.x, vRealize Operations 6.x, vCenter Operations 5.x, and vCenter Application Discovery Manager (vADM) 7.x allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

http://www.vmware.com/security/advisories/VMSA-2015-0009.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/79648

Scores

CVSS v3 7.3

EPSS 0.0178

EPSS Percentile 82.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CWE

CWE-20

Status published

Products (7)

vmware/vcenter_orchestrator 5.5

vmware/vcenter_orchestrator 5.5.1

vmware/vcenter_orchestrator 5.5.2

vmware/vcenter_orchestrator 5.5.2.1

vmware/vrealize_orchestrator 6.0.1

vmware/vrealize_orchestrator 6.0.2

vmware/vrealize_orchestrator 6.0.3

Published Dec 21, 2015

Tracked Since Feb 18, 2026