CVE-2015-6934

Serialized-object interfaces in VMware vRealize Orchestrator 6.x, vCenter Orchestrator 5.x, vRealize Operations 6.x, vCenter Operations 5.x, and vCenter Application Discovery Manager (vADM) 7.x allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.

Published: Dec 21, 2015
Updated: Apr 13, 2023
CVE: CVE-2015-6934
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
vmware / vcenter_orchestrator	5.5.2	5.5.2.x
vmware / vcenter_orchestrator	5.5.1	5.5.1.x
vmware / vcenter_orchestrator	5.5.2.1	5.5.2.1.x
vmware / vrealize_orchestrator	6.0.1	6.0.1.x
vmware / vrealize_orchestrator	6.0.2	6.0.2.x
vmware / vcenter_orchestrator	5.5	5.5.x
vmware / vrealize_orchestrator	6.0.3	6.0.3.x

http://www.securityfocus.com/bid/79648
http://www.vmware.com/security/advisories/VMSA-2015-0009.html

Vulnerability Database

289,697

CVE-2015-6934