CVE ID: CVE-2015-3253 CVSS Score: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P Affected Vendors: - Apache - Elastic Affected Products: - Groovy - Elasticsearch Vulnerability Details: - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Groovy. Authentication is not required to exploit this vulnerability. - The specific flaw exists within the Closure implementation which accepts and deserializes a Java serialized binary stream. An attacker can leverage this vulnerability to execute arbitrary code under the context of the user. Additional Details: - Apache has issued an update to correct this vulnerability. More details can be found at: http://groovy-lang.org/security.html - Elastic has issued an update to correct this vulnerability. More details can be found at: https://www.elastic.co/community/security Disclosure Timeline: - 2015-06-30 - Vulnerability reported to vendor - 2015-07-20 - Coordinated public release of advisory Credit: cpnrodzc7