CVE: 2015-4852 found in Apache Commons Collections - Version: 4.0 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Apache Commons Collections
Description	The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.
Language	JAVA
Vulnerability	Potential Remote Code Execution Via Java Object Deserialization
Vulnerability description	Apache Commons includes a class called InvokerTransformer. An application is vulnerable to a deserialization attack if this class is available on the classpath and the application deserializes untrusted or user-supplied data. It's not necessary to actually use InvokerTransfomer to be vulnerable. With these two criteria satisfied, an attacker may construct a gadget chain using classes in the component to execute arbitrary code. The chain relies on the class InvokerTransformer in the org.apache.commons.collections.functors package to invoke methods during the deserialization process.

The fix prevents deserialization of InvokerTransformer by default unless it's specifically enabled.

CVE-2015-4852, CVE-2015-6420, CVE-2015-7501, and CVE-2015-7450 are all related to this artifact.
CVE | 2015-4852
CVSS score | 7.5
Vulnerability present in version/s | 4.0-4.0
Found library version/s | 4.0
Vulnerability fixed in version | 4.1
Library latest version | 4.4
Fix |

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/3421?version=4.0
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/1847
• Patch: https://github.com/apache/commons-collections/compare/3b691712fd2dc7251907912124de0954f0652f6c...b2b8f4adc557e4ef1ee2fe5e0ab46866c06ec55b

[github-actions[bot]]

Veracode issue link to PR: https://github.com/5l1D3R/Github-actions/pull/2