{"id":"CVE-2016-2510","details":"BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.","aliases":["GHSA-gxg6-rc6c-v673"],"modified":"2026-07-08T12:43:41.883617Z","published":"2016-04-07T20:59:05.567Z","related":["SUSE-SU-2016:0699-1","SUSE-SU-2016:0700-1","openSUSE-SU-2024:10420-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_STRING","cpes":["cpe:2.3:a:beanshell:beanshell:2.0:beta1:*:*:*:*:*:*","cpe:2.3:a:beanshell:beanshell:2.0:beta4:*:*:*:*:*:*","cpe:2.3:a:beanshell:beanshell:2.0:beta5:*:*:*:*:*:*"],"vendor_product":"beanshell:beanshell","extracted_events":[{"introduced":"2.0-beta1"},{"last_affected":"2.0-beta1"},{"introduced":"2.0-beta4"},{"last_affected":"2.0-beta4"},{"introduced":"2.0-beta5"},{"last_affected":"2.0-beta5"}]},{"source":"CPE_STRING","cpes":["cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*"],"vendor_product":"canonical:ubuntu_linux","extracted_events":[{"introduced":"12.04"},{"last_affected":"12.04"},{"introduced":"14.04"},{"last_affected":"14.04"},{"introduced":"15.10"},{"last_affected":"15.10"}]},{"source":"CPE_STRING","cpes":["cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"],"vendor_product":"debian:debian_linux","extracted_events":[{"introduced":"7.0"},{"last_affected":"7.0"},{"introduced":"8.0"},{"last_affected":"8.0"}]}]},"references":[{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00056.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00078.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-0539.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-0540.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2035.html"},{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3504"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/84139"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1035440"},{"type":"ADVISORY","url":"http://www.ubuntu.com/usn/USN-2923-1"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2016:1135"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2016:1376"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1545"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201607-17"},{"type":"FIX","url":"https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced"},{"type":"FIX","url":"https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49"},{"type":"FIX","url":"https://github.com/beanshell/beanshell/releases/tag/2.0b6"},{"type":"EVIDENCE","url":"https://github.com/frohoff/ysoserial/pull/13"},{"type":"EVIDENCE","url":"https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/beanshell/beanshell","events":[{"introduced":"927f80d2a1b3a64b8d3eeeb07c94cfd158ba645d"},{"last_affected":"927f80d2a1b3a64b8d3eeeb07c94cfd158ba645d"},{"fixed":"1ccc66bb693d4e46a34a904db8eeff07808d2ced"},{"fixed":"7c68fde2d6fc65e362f20863d868c112a90a9b49"},{"fixed":"7bf2199161b4cfe717d38d412ec6cf3f21751200"}],"database_specific":{"source":["CPE_STRING","REFERENCES"],"extracted_events":[{"introduced":"1.0"},{"last_affected":"1.0"}],"cpe":"cpe:2.3:a:beanshell:beanshell:1.0:*:*:*:*:*:*:*"}}],"versions":["1.0"],"database_specific":{"vanir_signatures_modified":"2026-07-08T12:43:41Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-2510.json","vanir_signatures":[{"signature_version":"v1","source":"https://github.com/beanshell/beanshell/commit/7bf2199161b4cfe717d38d412ec6cf3f21751200","id":"CVE-2016-2510-3f73c38f","deprecated":false,"digest":{"line_hashes":["35614299268614867835042934647145200446","208752594288842425892347335675051161108","5604377958557984412708643064681431671","65144318579096056143954542355067328911"],"threshold":0.9},"target":{"file":"src/bsh/Interpreter.java"},"signature_type":"Line"},{"signature_version":"v1","source":"https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49","id":"CVE-2016-2510-e0267d02","deprecated":false,"digest":{"line_hashes":["116711807395988289538945154664562202555","167959936975751547007998631808540871417","38687778535351195993184597757824437531","249032883651888707697673993935683641412"],"threshold":0.9},"target":{"file":"src/bsh/XThis.java"},"signature_type":"Line"},{"signature_version":"v1","source":"https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced","id":"CVE-2016-2510-edb15755","deprecated":false,"digest":{"line_hashes":["163905886338766998459775178756951691891","305441933704093462803848766802017671481"],"threshold":0.9},"target":{"file":"tests/junitTests/src/bsh/BshSerializationTest.java"},"signature_type":"Line"},{"signature_version":"v1","source":"https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced","id":"CVE-2016-2510-f18623f1","deprecated":false,"digest":{"line_hashes":["271413369883363426473678453284879795575","74533006393110408236644417974551269442","226748113031818034570208424271141764316","267690722060668218591053117793183490560","22814468215271365422363944901559573679","27217412151240785729613992303890490297","120491306522866320170979011947174869451","56985026784922710393674620072302057365","62139482827701810554114492183619633261","49707158956888182194525654137239369968","11173945259877414840543231712090192615","315081075351724908020625918530543646974","23857702660930548674005999517870290206","161912339007482158629597650571135604339","152217360514404182647163471858059562771","323922312007930079754978460183221197841","120940611802160903361809521404359212459","106433809316179643190796699701443427972","278741203176295974648468889660687328092","194334748685044045876404541325343123656","28556588749922620437337307696785034734","82143485654298136869740767190845955851","332641439228342477557834575836240203785","34864309467147101854848179558849227290","8405644328541736262425063012752278036","36394683861224109571200716003216866645","123167392407353031505869373743624248039","243399955807465774182569329966936045055","249032883651888707697673993935683641412","36015003527925727580486351702019524601","152591905700942945784322511479393377530","213046718964569735541367853820001258563","311158319023477461626206631349595944725","25034763763539684082962583003624596771","157960528119434161574686247208378860307","153515345245930409006670678609242630886","198365334930261880913920985270749897832","72640992606907247473494534067290906375","272873498085520819718693431145938497294","115686182916101629265689314042149779645","93319719382370115506375694050508083473","324401534049653398513705320172608184292","332670457614120523225308251718639553735","58756059078491027049488733729109653457","244997232788373258060669885466921030390","122812959496558039257665374215051950901","244093332104961195285881267119311960810","147405095195869908886117448190820749737","167056016873148886212485417552520127418","274304335377924658810837340573315884843","132624088853648478804328988329989518655","155276034782992133464020158135889805487","113211630891305053032863126994257055750","207037664305693046073391079027958502230","289655558450869975566319796322150154259","267269603480629339075566987889914572173","35632428908318553929822330045351546209","231672252375322308144764857289944334354","204110056647989372154202156330874340008","23017489845503074536474485790673691806","139118692718288369546412731888050296140","51722493523182863503661416037850538279","292714346270886752435370164362235254238","314931222106061131718207034981481312044","276299468915227676361366431078955413253","142586364360674890159943727090260618743","91498840205367049705769188815894532555","70321786440742177210256184992193429087","181952021956541036148559699577402643979","242149597045909789879306792204531138777"],"threshold":0.9},"target":{"file":"src/bsh/XThis.java"},"signature_type":"Line"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}