Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library. The Java artifact causing the deserialization vulnerability is Apache Commons Collections in versions 3.0 through 3.2.1 and version 4.0.
HIGH Vulnerable Package issue exists @ commons-collections:commons-collections in branch refs/heads/master
Description
Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library. The Java artifact causing the deserialization vulnerability is Apache Commons Collections in versions 3.0 through 3.2.1 and version 4.0.
HIGH Vulnerable Package issue exists @ commons-collections:commons-collections in branch refs/heads/master
Vulnerability ID: CVE-2016-2170
Package Name: commons-collections:commons-collections
Severity: HIGH
CVSS Score: 9.8
Publish Date: 2016-04-12T14:59:00
Current Package Version: 3.2.1
Remediation Upgrade Recommendation: 3.2.2
Link To SCA
Reference – NVD link