{
  "threat_severity" : "Important",
  "public_date" : "2016-02-22T00:00:00Z",
  "bugzilla" : {
    "description" : "bsh2: remote code execution via deserialization",
    "id" : "1310647",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1310647"
  },
  "cvss" : {
    "cvss_base_score" : "6.8",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:P/A:P",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.", "A deserialization flaw allowing remote code execution was found in the BeanShell library. If BeanShell was on the classpath, it could permit code execution if another part of the application deserialized objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the BeanShell library." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.3.1",
    "release_date" : "2019-06-18T00:00:00Z",
    "advisory" : "RHSA-2019:1545",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "camel"
  }, {
    "product_name" : "Red Hat JBoss BPMS 6.2",
    "release_date" : "2016-03-30T00:00:00Z",
    "advisory" : "RHSA-2016:0539",
    "cpe" : "cpe:/a:redhat:jboss_bpms:6.2"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6.2",
    "release_date" : "2016-03-30T00:00:00Z",
    "advisory" : "RHSA-2016:0540",
    "cpe" : "cpe:/a:redhat:jboss_brms:6.2"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6.2",
    "release_date" : "2016-05-26T00:00:00Z",
    "advisory" : "RHSA-2016:1135",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6.2",
    "package" : "bsh2"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6.3",
    "release_date" : "2016-10-06T00:00:00Z",
    "advisory" : "RHSA-2016:2035",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.3"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 5.3",
    "release_date" : "2016-06-30T00:00:00Z",
    "advisory" : "RHSA-2016:1376",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3",
    "package" : "jbossas"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat BPM Suite 6",
    "fix_state" : "Affected",
    "package_name" : "BusinessCentral",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform"
  }, {
    "product_name" : "Red Hat JBoss BRMS 5",
    "fix_state" : "Will not fix",
    "package_name" : "jbossas",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6",
    "fix_state" : "Affected",
    "package_name" : "BusinessCentral",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5.2.0",
    "fix_state" : "Not affected",
    "package_name" : "bsh2",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Affected",
    "package_name" : "Camel",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Not affected",
    "package_name" : "Core Server",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-2510\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-2510\nhttps://github.com/beanshell/beanshell/releases/tag/2.0b6" ],
  "name" : "CVE-2016-2510",
  "csaw" : false
}