9.8

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2015-7501

CVE-2015-7501: Deserialization of Untrusted Data in Apache commons collections

It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2015-7501

CVE-2015-7501:

9.8

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
commons-collections:commons-collections	maven	< 3.2.2	3.2.2
org.apache.commons:commons-collections4	maven	< 4.1	4.1
org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections	maven	>= 3.2.1, < 3.2.2
net.sourceforge.collections:collections-generic	maven	= 4.01
org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic	maven	>= 4.01, < 4.02

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe deserialization of classes in Apache Commons Collections' functors package. InvokerTransformer, InstantiateFactory, and InstantiateTransformer are explicitly named in advisories (CVE-2015-7501, COLLECTIONS-580) as having dangerous serialization behavior. These classes allow method invocation and object instantiation via reflection, which attackers exploit by crafting malicious serialized object chains. The Apache project patched this by disabling serialization for these classes in versions 3.2.2/4.1, and Red Hat's documentation confirms their role in the exploit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2015-7501: Deserialization of Untrusted Data in Apache commons collections

CVE-2015-7501:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

9.8

9.8

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2015-7501: Deserialization of Untrusted Data in Apache commons collections

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI