CRITICAL 9.8
GHSA-6r7r-jj8h-pq6v
Deserialization of Untrusted Data in Jython
Details
Jython before 2.7.1b3 allows attackers to execute arbitrary code via a crafted serialized PyFunction object.
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / org.python:jython-standalone
Introduced in:
0 Fixed in: 2.7.1b3 Fix
# pom.xml: bump <version>2.7.1b3</version> for org.python:jython-standalone Maven / org.python:jython
Introduced in:
0 Fixed in: 2.7.1b3 Fix
# pom.xml: bump <version>2.7.1b3</version> for org.python:jython References
- https://nvd.nist.gov/vuln/detail/CVE-2016-4000 [ADVISORY]
- https://github.com/jython/jython/commit/ee4200fdd5385d3f74a5cf1a781fa52d33bbb274 [WEB]
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html [WEB]
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html [WEB]
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html [WEB]
- https://www.oracle.com/security-alerts/cpujul2020.html [WEB]
- https://www.oracle.com/security-alerts/cpujan2020.html [WEB]
- https://www.oracle.com/security-alerts/cpuapr2020.html [WEB]
- https://snyk.io/vuln/SNYK-JAVA-ORGPYTHON-31451 [WEB]
- https://security.gentoo.org/glsa/201710-28 [WEB]
- https://security-tracker.debian.org/tracker/CVE-2016-4000 [WEB]
- https://lists.apache.org/thread.html/0919ec1db20b1022f22b8e78f355667df74d6142b463ff17d03ad533@%3Cdevnull.infra.apache.org%3E [WEB]
- https://hg.python.org/jython/rev/d06e29d100c0 [WEB]
- https://hg.python.org/jython/file/v2.7.1rc1/NEWS [WEB]
- https://github.com/jython/jython [PACKAGE]
- https://bugs.jython.org/issue2454 [WEB]
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864859 [WEB]
- http://bugs.jython.org/issue2454 [WEB]
- http://www.debian.org/security/2017/dsa-3893 [WEB]
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html [WEB]