CVE-2016-2510

HIGH

BeanShell < 2.0b6 - Remote Code Execution via Crafted Serialized Data

Title source: llm
STIX 2.1

Description

BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.

References (19)

Core 19
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2035.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/84139
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1135
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0540.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:1376
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00056.html
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0539.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3504
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1035440
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00078.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2923-1
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201607-17
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1545
Exploit, Third Party Advisory x_refsource_misc
https://github.com/frohoff/ysoserial/pull/13
Patch, Third Party Advisory x_refsource_confirm
https://github.com/beanshell/beanshell/releases/tag/2.0b6

Scores

CVSS v3 8.1
EPSS 0.7043
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-19
Status published
Products (8)
beanshell/beanshell 1.0
beanshell/beanshell 2.0 beta1 (3 CPE variants)
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 15.10
debian/debian_linux 7.0
debian/debian_linux 8.0
org.apache-extras.beanshell/bsh 0 - 2.0b6Maven
Published Apr 07, 2016
Tracked Since Feb 18, 2026