{"id":"MGASA-2015-0296","summary":"Updated groovy package fixes security vulnerability","details":"When an application has Groovy on the classpath and that it uses standard\nJava serialization mechanim to communicate between servers, or to store\nlocal data, it is possible for an attacker to bake a special serialized\nobject that will execute code directly when deserialized. All applications\nwhich rely on serialization and do not isolate the code which deserializes\nobjects are subject to this vulnerability (CVE-2015-3253).\n","modified":"2026-04-16T01:48:24.045671810Z","published":"2015-07-30T21:08:51Z","upstream":["CVE-2015-3253"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0296.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=16393"},{"type":"WEB","url":"http://groovy-lang.org/security.html"}],"affected":[{"package":{"name":"groovy","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/groovy?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.7-3.1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0296.json"}},{"package":{"name":"groovy","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/groovy?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.9-5.1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0296.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}