CVE-2016-2510
HIGHBeanShell < 2.0b6 - Remote Code Execution via Crafted Serialized Data
Title source: llmDescription
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
References (19)
Core 19
Core References
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2035.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/84139
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1135
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0540.html
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1376
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00056.html
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0539.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3504
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1035440
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00078.html
Third Party Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2923-1
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201607-17
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1545
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Exploit, Third Party Advisory x_refsource_misc
https://github.com/frohoff/ysoserial/pull/13
Patch, Third Party Advisory x_refsource_confirm
https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49
Patch, Third Party Advisory x_refsource_confirm
https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced
Patch, Third Party Advisory x_refsource_confirm
https://github.com/beanshell/beanshell/releases/tag/2.0b6
Exploit, Third Party Advisory x_refsource_misc
https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
Scores
CVSS v3
8.1
EPSS
0.7043
EPSS Percentile
99.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-19
Status
published
Products (8)
beanshell/beanshell
1.0
beanshell/beanshell
2.0 beta1 (3 CPE variants)
canonical/ubuntu_linux
12.04
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
15.10
debian/debian_linux
7.0
debian/debian_linux
8.0
org.apache-extras.beanshell/bsh
0 - 2.0b6Maven
Published
Apr 07, 2016
Tracked Since
Feb 18, 2026