Miggo Logo

CVE-2015-6420: Insecure Deserialization in Apache Commons Collection

7.5

CVSS Score

Basic Information

EPSS Score
0.93945%
Published
6/15/2020
Updated
6/12/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.commons:commons-collections4maven< 4.14.1
commons-collections:commons-collectionsmaven< 3.2.23.2.2
net.sourceforge.collections:collections-genericmaven<= 4.0.1
org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-genericmaven<= 4.01
org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collectionsmaven<= 3.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The InvokerTransformer.transform() method is identified as a vulnerable function based on its role in deserialization attacks exploiting the Apache Commons Collections library. This method's ability to invoke arbitrary methods on objects makes it a critical vulnerability point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*ri*liz**-o*j**t int*r****s in J*v* *ppli**tions usin* t** *p**** *ommons *oll**tions (***) li*r*ry m*y *llow r*mot* *tt**k*rs to *x**ut* *r*itr*ry *omm*n*s vi* * *r**t** s*ri*liz** J*v* o*j**t.

Reasoning

T** `Invok*rTr*ns*orm*r.tr*ns*orm()` m*t*o* is i**nti*i** *s * vuln*r**l* *un*tion **s** on its rol* in **s*ri*liz*tion *tt**ks *xploitin* t** *p**** *ommons *oll**tions li*r*ry. T*is m*t*o*'s **ility to invok* *r*itr*ry m*t*o*s on o*j**ts m*k*s it *