CVE-2016-0779

Published: Apr 11, 2017Modified: May 13, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.

Affected (2)

Products: Apache: Tomee

Apache

1 product

Tomee

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Tomee	Up to 1.7.3
Apache Tomee	Version 7.0.0 m1

Related CWEs

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (12)

http://packetstormsecurity.com/files/136256/Apache-TomEE-Patched.html

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://tomee-openejb.979440.n4.nabble.com/Document-resolved-vulnerability-CVE-2015-8581-td4678073.html

Source: secalert@redhat.com

Issue Tracking

http://tomee.apache.org/security/tomee.html

Source: secalert@redhat.com

PatchVendor Advisory

http://www.securityfocus.com/archive/1/537806/100/0/threaded

Source: secalert@redhat.com

http://www.securityfocus.com/bid/79204

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://www.zerodayinitiative.com/advisories/ZDI-15-638

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/136256/Apache-TomEE-Patched.html