CVE-2014-9515 : Dozer improperly uses a reflection-based approach to type conversion, which migh

Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object.

Published 2017-12-29 22:29:01

Updated 2024-08-22 15:35:02

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2014-9515

Dozer Project » Dozer
Versions up to, including, (<=) 5.5.1
cpe:2.3:a:dozer_project:dozer:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2014-9515

EPSS FAQ

2.55%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 84 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-9515

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-08-22
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2014-9515

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-9515

https://github.com/DozerMapper/dozer/issues/786

No indication if CVE-2014-9515 is solved · Issue #786 · DozerMapper/dozer · GitHub
https://github.com/pentestingforfunandprofit/research/tree/master/dozer-rce

research/dozer-rce at master · pentestingforfunandprofit/research · GitHub
Issue Tracking;Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Oracle Critical Patch Update Advisory - April 2021

CVEs referencing this url
https://github.com/DozerMapper/dozer/pull/447/commits/ccd550696f3df8545319ffa9c6adafc8eca2334c

[ISSUE 410] Updated proto package to be com.github.dozermapper.protobuf by garethahealy · Pull Request #447 · DozerMapper/dozer · GitHub
https://github.com/DozerMapper/dozer/issues/217

Potential remote code execution via dozer's reflection-based type conversion · Issue #217 · DozerMapper/dozer · GitHub
Issue Tracking;Third Party Advisory
http://www.securityfocus.com/bid/107970

Dozer CVE-2014-9515 Arbitrary Code Execution Vulnerability
https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf

Issue Tracking;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20240719-0002/

CVE-2014-9515 Dozer Vulnerability in NetApp Products | NetApp Product Security
https://github.com/DozerMapper/dozer/issues/410

Update references of package names to com.github.dozermapper · Issue #410 · DozerMapper/dozer · GitHub

Jump to

Vulnerability Details : CVE-2014-9515

Products affected by CVE-2014-9515

Exploit prediction scoring system (EPSS) score for CVE-2014-9515

CVSS scores for CVE-2014-9515

CWE ids for CVE-2014-9515

References for CVE-2014-9515