Vulnerability Details : CVE-2016-4000
Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object.
Vulnerability category: Execute code
Products affected by CVE-2016-4000
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:jython_project:jython:2.7.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-4000
2.93%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-4000
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2016-4000
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-4000
-
http://www.securityfocus.com/bid/105647
Oracle Enterprise Manager Ops Center CVE-2016-4000 Remote Security Vulnerability
-
https://www.oracle.com/security-alerts/cpujan2020.html
Oracle Critical Patch Update Advisory - January 2020
-
https://hg.python.org/jython/file/v2.7.1rc1/NEWS
jython: 330556fdad47 NEWSThird Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CPU Oct 2018
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | Oracle
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020
-
https://lists.apache.org/thread.html/0919ec1db20b1022f22b8e78f355667df74d6142b463ff17d03ad533@%3Cdevnull.infra.apache.org%3E
[GitHub] [flink] aloyszhang opened pull request #8100: [FLINK-12082] Bump up the jython-standalone version - Pony Mail
-
https://snyk.io/vuln/SNYK-JAVA-ORGPYTHON-31451
Arbitrary Code Execution in org.python:jython-standalone | SnykThird Party Advisory
-
https://security.gentoo.org/glsa/201710-28
Jython: Arbitrary code execution (GLSA 201710-28) — Gentoo security
-
https://security-tracker.debian.org/tracker/CVE-2016-4000
CVE-2016-4000Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Oracle Critical Patch Update - April 2019
-
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Oracle Critical Patch Update - January 2019
-
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864859
#864859 - jython: CVE-2016-4000: Unsafe deserialization leads to code execution - Debian Bug report logsMailing List;Third Party Advisory
-
http://www.debian.org/security/2017/dsa-3893
Debian -- Security Information -- DSA-3893-1 jythonThird Party Advisory
-
http://bugs.jython.org/issue2454
Issue 2454: Security Vulnerability in Jython - Jython trackerVendor Advisory
-
https://hg.python.org/jython/rev/d06e29d100c0
jython: d06e29d100c0Patch;Third Party Advisory
Jump to