CVE-2016-4000

high-risk
Published 2017-07-06

Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object.

Do I need to act?

!
12.5% chance of exploitation in next 30 days
EPSS score — higher than 88% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Jython Project Debian

References (34)

Vendor Advisory http://bugs.jython.org/issue2454
Third Party Advisory http://www.debian.org/security/2017/dsa-3893
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.securityfocus.com/bid/105647
Mailing List https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864859
Third Party Advisory https://hg.python.org/jython/file/v2.7.1rc1/NEWS
Patch https://hg.python.org/jython/rev/d06e29d100c0
https://lists.apache.org/thread.html/0919ec1db20b1022f22b8e78f355667df74d6142b46...
Third Party Advisory https://security-tracker.debian.org/tracker/CVE-2016-4000
https://security.gentoo.org/glsa/201710-28
Third Party Advisory https://snyk.io/vuln/SNYK-JAVA-ORGPYTHON-31451
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Vendor Advisory http://bugs.jython.org/issue2454
Third Party Advisory http://www.debian.org/security/2017/dsa-3893
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
and 14 more references
51
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 12/34 · Low
Exposure 7/34 · Low