{"id":"CVE-2016-6199","details":"ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object.","modified":"2026-04-10T03:52:22.077771Z","published":"2017-02-07T15:59:00.427Z","references":[{"type":"ADVISORY","url":"https://philwantsfish.github.io/security/java-deserialization-github"},{"type":"EVIDENCE","url":"https://discuss.gradle.org/t/a-security-issue-about-gradle-rce/17726"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gradle/gradle","events":[{"introduced":"0"},{"last_affected":"b29fbb64ad6b068cb3f05f7e40dc670472129bc0"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.12"}]}}],"versions":["REL-0.8","REL-0.9-preview-1","REL-0.9-preview-2","REL-0.9-preview-3","REL-0.9-rc-1","REL_0.9","REL_0.9-rc-2","REL_0.9-rc-3","REL_0.9.1","REL_0.9.2","REL_1.0-milestone-1","REL_1.0-milestone-2","REL_1.0-milestone-3","REL_1.11","REL_1.11-rc-1","REL_1.12","REL_1.12-rc-1","REL_1.12-rc-2","REL_2.12","REL_2.12-rc-1","v0.8","v0.8.0","v0.9","v0.9-RC1","v0.9-RC2","v0.9-RC3","v0.9.0","v0.9.0-RC1","v0.9.0-RC2","v0.9.0-RC3","v0.9.1","v0.9.2","v1.0-M1","v1.0-M2","v1.0-M3","v1.0.0-M1","v1.0.0-M2","v1.0.0-M3","v1.11","v1.11-RC1","v1.11.0","v1.11.0-RC1","v1.12","v1.12-RC1","v1.12-RC2","v1.12.0","v1.12.0-RC1","v1.12.0-RC2","v2.12","v2.12-RC1","v2.12.0","v2.12.0-RC1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6199.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}