cvelist/2017/15xxx/CVE-2017-15708.json

{
   "CVE_data_meta" : {
      "ASSIGNER" : "security@apache.org",
      "DATE_PUBLIC" : "2017-12-10T00:00:00",
      "ID" : "CVE-2017-15708",
      "STATE" : "PUBLIC"
   },
   "affects" : {
      "vendor" : {
         "vendor_data" : [
            {
               "product" : {
                  "product_data" : [
                     {
                        "product_name" : "Synapse",
                        "version" : {
                           "version_data" : [
                              {
                                 "version_value" : "3.0.0"
                              },
                              {
                                 "version_value" : "2.1.0"
                              },
                              {
                                 "version_value" : "2.0.0"
                              },
                              {
                                 "version_value" : "1.2"
                              },
                              {
                                 "version_value" : "1.1.2"
                              },
                              {
                                 "version_value" : "1.1.1"
                              }
                           ]
                        }
                     }
                  ]
               },
               "vendor_name" : "Apache Software Foundation"
            }
         ]
      }
   },
   "data_format" : "MITRE",
   "data_type" : "CVE",
   "data_version" : "4.0",
   "description" : {
      "description_data" : [
         {
            "lang" : "eng",
            "value" : "Due to the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions, Apache Synapse 3.0.0 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. To mitigate the issue upgrading to 3.0.1 version is required. In Synapse 3.0.1 version, Commons Collection has been updated to 3.2.2 version which contains the fix for the above mentioned vulnerability."
         }
      ]
   },
   "problemtype" : {
      "problemtype_data" : [
         {
            "description" : [
               {
                  "lang" : "eng",
                  "value" : "Remote Code Execution Vulnerability"
               }
            ]
         }
      ]
   },
   "references" : {
      "reference_data" : [
         {
            "url" : "https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3E"
         },
         {
            "url" : "http://www.securityfocus.com/bid/102154"
         }
      ]
   }
}
- Synchronized data. 2017-10-21 14:02:45 -04:00			`{`
			`"CVE_data_meta" : {`
- Added submission from Apache Synapse from 2017-12-10. 2017-12-11 09:06:55 -05:00			`"ASSIGNER" : "security@apache.org",`
			`"DATE_PUBLIC" : "2017-12-10T00:00:00",`
- Synchronized data. 2017-10-21 14:02:45 -04:00			`"ID" : "CVE-2017-15708",`
- Added submission from Apache Synapse from 2017-12-10. 2017-12-11 09:06:55 -05:00			`"STATE" : "PUBLIC"`
			`},`
			`"affects" : {`
			`"vendor" : {`
			`"vendor_data" : [`
			`{`
			`"product" : {`
			`"product_data" : [`
			`{`
			`"product_name" : "Synapse",`
			`"version" : {`
			`"version_data" : [`
			`{`
			`"version_value" : "3.0.0"`
			`},`
			`{`
			`"version_value" : "2.1.0"`
			`},`
			`{`
			`"version_value" : "2.0.0"`
			`},`
			`{`
			`"version_value" : "1.2"`
			`},`
			`{`
			`"version_value" : "1.1.2"`
			`},`
			`{`
			`"version_value" : "1.1.1"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name" : "Apache Software Foundation"`
			`}`
			`]`
			`}`
- Synchronized data. 2017-10-21 14:02:45 -04:00			`},`
			`"data_format" : "MITRE",`
			`"data_type" : "CVE",`
			`"data_version" : "4.0",`
			`"description" : {`
			`"description_data" : [`
			`{`
			`"lang" : "eng",`
- Added submission from Apache Synapse from 2017-12-10. 2017-12-11 09:06:55 -05:00			"value" : "Due to the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions, Apache Synapse 3.0.0 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. To mitigate the issue upgrading to 3.0.1 version is required. In Synapse 3.0.1 version, Commons Collection has been updated to 3.2.2 version which contains the fix for the above mentioned vulnerability."
			`}`
			`]`
			`},`
			`"problemtype" : {`
			`"problemtype_data" : [`
			`{`
			`"description" : [`
			`{`
			`"lang" : "eng",`
			`"value" : "Remote Code Execution Vulnerability"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"references" : {`
			`"reference_data" : [`
			`{`
			`"url" : "https://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3E"`
- Synchronized data. 2017-12-13 08:03:10 -05:00			`},`
			`{`
			`"url" : "http://www.securityfocus.com/bid/102154"`
- Synchronized data. 2017-10-21 14:02:45 -04:00			`}`
			`]`
			`}`
			`}`