CVE-2018-6331

CRITICAL

Facebook Buck < 2018.06.25.01 - Insecure Deserialization

Title source: rule

Description

Buck parser-cache command loads/saves state using Java serialized object. If the state information is maliciously crafted, deserializing it could lead to code execution. This issue affects Buck versions prior to v2018.06.25.01.

References (1)

[Patch, Third Party Advisory] https://github.com/facebook/buck/commit/8c5500981812564877bd122c0f8fab48d3528ddf

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0089

EPSS Percentile 75.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

facebook/buck < 2018.06.25.01

Timeline

Published Dec 31, 2018

Tracked Since Feb 18, 2026