The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to "oracle_common/modules/com.bea.core.apache.commons.collections.jar". The Java artifact causing the deserialization vulnerability is Apache Commons Collections in versions 3.0 through 3.2.1 and version 4.0. NOTE: the scope of this CVE is limited to the WebLogic Server product.
HIGH Vulnerable Package issue exists @ commons-collections:commons-collections in branch refs/heads/master
Description
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to "oracle_common/modules/com.bea.core.apache.commons.collections.jar". The Java artifact causing the deserialization vulnerability is Apache Commons Collections in versions 3.0 through 3.2.1 and version 4.0. NOTE: the scope of this CVE is limited to the WebLogic Server product.
HIGH Vulnerable Package issue exists @ commons-collections:commons-collections in branch refs/heads/master
Vulnerability ID: CVE-2015-4852
Package Name: commons-collections:commons-collections
Severity: HIGH
CVSS Score: 9.8
Publish Date: 2015-11-18T15:59:00
Current Package Version: 3.2.1
Remediation Upgrade Recommendation: 3.2.2
Link To SCA
Reference – NVD link