CVE-2016-2510
First published: Mon Feb 22 2016(Updated: )
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/bsh2 | <2.0 | 2.0 |
| Git Git-shell | =1.0 | |
| Git Git-shell | =2.0-beta1 | |
| Git Git-shell | =2.0-beta4 | |
| Git Git-shell | =2.0-beta5 | |
| Debian | =7.0 | |
| Debian | =8.0 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =15.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00056.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00078.html
- http://rhn.redhat.com/errata/RHSA-2016-0539.html
- http://rhn.redhat.com/errata/RHSA-2016-0540.html
- http://rhn.redhat.com/errata/RHSA-2016-2035.html
- http://www.debian.org/security/2016/dsa-3504
- http://www.securityfocus.com/bid/84139
- http://www.securitytracker.com/id/1035440
- http://www.ubuntu.com/usn/USN-2923-1
- https://access.redhat.com/errata/RHSA-2016:1135
- https://access.redhat.com/errata/RHSA-2016:1376
- https://access.redhat.com/errata/RHSA-2019:1545
- https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced
- https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49
- https://github.com/beanshell/beanshell/releases/tag/2.0b6
- https://github.com/frohoff/ysoserial/pull/13
- https://security.gentoo.org/glsa/201607-17
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf
- https://rhn.redhat.com/errata/RHSA-2016-0539.html
- https://rhn.redhat.com/errata/RHSA-2016-0540.html
- https://rhn.redhat.com/errata/RHSA-2016-2035.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1310647
Frequently Asked Questions
What is the severity of CVE-2016-2510?
CVE-2016-2510 is rated as a high severity vulnerability due to its ability to allow remote code execution.
How does CVE-2016-2510 allow for exploitation?
CVE-2016-2510 allows remote attackers to execute arbitrary code by using crafted serialized data with vulnerable applications that include BeanShell.
Which versions are affected by CVE-2016-2510?
Versions before BeanShell 2.0b6, including 1.0 and all beta versions up to 2.0b5, are affected by CVE-2016-2510.
How do I fix CVE-2016-2510?
To remediate CVE-2016-2510, upgrade to BeanShell version 2.0 or newer, which addresses the vulnerability.
What are the potential impacts of CVE-2016-2510 on my system?
If exploited, CVE-2016-2510 can compromise system integrity, leading to unauthorized control and data loss.
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/author
- agent/references
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-2510
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/beanshell
- canonical/git git-shell
- version/git git-shell/1.0
- version/git git-shell/2.0-beta1
- version/git git-shell/2.0-beta4
- version/git git-shell/2.0-beta5
- vendor/debian
- canonical/debian
- version/debian/7.0
- version/debian/8.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/12.04
- version/ubuntu linux/14.04
- version/ubuntu linux/15.10