CVE-2015-7450
CVE-2015-7450
In short
A flaw in how IBM products handle serialized Java objects allows attackers to run arbitrary commands on a server. This happens because the products use an unsafe library component that doesn't properly validate incoming data.
Technical detail
Remote attackers can exploit insecure deserialization of Java objects via the InvokerTransformer class in Apache Commons Collections to achieve remote code execution. The attack requires no authentication and can be triggered by sending a crafted serialized object to affected IBM products, resulting in complete system compromise.
Summary generated and translated by AI from the official description.
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 2
cve_referencewww.exploit-db.com/exploits/41613/unverifiedexploitdbwww.exploit-db.com/exploits/41613unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-7450https://www.exploit-db.com/exploits/41613/http://www-01.ibm.com/support/docview.wss?uid=swg21970575http://www-01.ibm.com/support/docview.wss?uid=swg21971342http://www-01.ibm.com/support/docview.wss?uid=swg21971376http://www-01.ibm.com/support/docview.wss?uid=swg21971733http://www-01.ibm.com/support/docview.wss?uid=swg21971758http://www-01.ibm.com/support/docview.wss?uid=swg21972799http://www.securityfocus.com/bid/77653http://www.securitytracker.com/id/1035125