{"id":"CVE-2018-6331","details":"Buck parser-cache command loads/saves state using Java serialized object. If the state information is maliciously crafted, deserializing it could lead to code execution. This issue affects Buck versions prior to v2018.06.25.01.","modified":"2026-04-11T09:39:50.310263Z","published":"2018-12-31T23:29:00.237Z","references":[{"type":"FIX","url":"https://github.com/facebook/buck/commit/8c5500981812564877bd122c0f8fab48d3528ddf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/facebook/buck","events":[{"introduced":"0"},{"fixed":"266d085873781fdf00f1419444a7ba8976b8084d"},{"fixed":"8c5500981812564877bd122c0f8fab48d3528ddf"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2018.06.25.01"}]}}],"versions":["v2015.09.10.01","v2015.09.15.01","v2017.03.29.01","v2017.05.09.01","v2017.05.31.01","v2017.09.04.01","v2017.09.04.02","v2017.10.01.01","v2017.11.16.01","v2018.02.16.01","v2018.03.26.01"],"database_specific":{"vanir_signatures_modified":"2026-04-11T09:39:50Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-6331.json","vanir_signatures":[{"target":{"function":"runWithoutHelp","file":"src/com/facebook/buck/cli/ParserCacheCommand.java"},"digest":{"function_hash":"134644099577632656356301366235559859540","length":1446},"signature_type":"Function","id":"CVE-2018-6331-5a157d8e","source":"https://github.com/facebook/buck/commit/8c5500981812564877bd122c0f8fab48d3528ddf","signature_version":"v1","deprecated":false},{"target":{"file":"test/com/facebook/buck/cli/ParserCacheCommandIntegrationTest.java"},"digest":{"threshold":0.9,"line_hashes":["294908862540740728211718966180692737441","139875312924700524251988940463570794877","210487957749746909939118443453884109758","329906905120647623747116729497957191862","143532120316266836751838371556411848009","99937910495947498223997628691234419861","41957212922945413548730296476111818066","212526429110154489961712439064715026927","11503067880287711469757032956378510177","41284443922876524147709528125234617249","213435899883661749969395760996239759309","145166166893495046052026498987737677774","37041542446811250621202090507626639301","321871189578994292621772302711838567073","284448606779553295816869817515816000305"]},"signature_type":"Line","id":"CVE-2018-6331-6b900ab8","source":"https://github.com/facebook/buck/commit/8c5500981812564877bd122c0f8fab48d3528ddf","signature_version":"v1","deprecated":false},{"target":{"file":"src/com/facebook/buck/cli/ParserCacheCommand.java"},"digest":{"threshold":0.9,"line_hashes":["327907603331701235201862311636604267077","208399489611775618888646420564319829987","49829991717620061785605041251447117388","311121164583708823896600424447241207651","338096795697352815717481467254715727923","92587449257307688904441480635600292602"]},"signature_type":"Line","id":"CVE-2018-6331-de0bb0d9","source":"https://github.com/facebook/buck/commit/8c5500981812564877bd122c0f8fab48d3528ddf","signature_version":"v1","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}