Apache Commons Collections unsafely deserializes untrusted input, potentially resulting in arbitrary code execution.
Package | dev-java/commons-collections on all architectures |
---|---|
Affected versions | < 3.2.2 |
Unaffected versions | >= 3.2.2 |
Apache Commons Collections extends the JCF classes with new interfaces, implementations and utilities.
Some classes in the Apache Commons Collections functor package deserialized potentially untrusted input by default.
Deserializing untrusted input using Apache Commons Collections could result in remote code execution.
There is no known workaround at this time.
All Apache Commons Collections users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/commons-collections-3.2.2"
Release date
July 16, 2021
Latest revision
July 16, 2021: 1
Severity
normal
Exploitable
remote
Bugzilla entries