- **CVE ID**: CVE-2015-3253 - **CVSS Score**: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P - **Affected Vendors**: - Apache - Elastic - **Affected Products**: - Groovy - Elasticsearch - **Vulnerability Details**: - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Groovy. Authentication is not required to exploit this vulnerability. - The specific flaw exists within the Closure implementation which accepts and deserializes a Java serialized binary stream. An attacker can leverage this vulnerability to execute arbitrary code under the context of the user. - **Additional Details**: - Apache has issued an update to correct this vulnerability. More details can be found at: http://groovy-lang.org/security.html - Elastic has issued an update to correct this vulnerability. More details can be found at: https://www.elastic.co/community/security - **Disclosure Timeline**: - 2015-06-30 - Vulnerability reported to vendor - 2015-07-20 - Coordinated public release of advisory - **Credit**: cpnrodzc7