Critical severity9.8NVD Advisory· Published Jul 6, 2017· Updated May 13, 2026
CVE-2016-4000
CVE-2016-4000
Description
Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.python:jython-standaloneMaven | < 2.7.1 | 2.7.1 |
org.python:jythonMaven | < 2.7.1-rc1 | 2.7.1-rc1 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
20- hg.python.org/jython/rev/d06e29d100c0nvdPatchThird Party AdvisoryWEB
- bugs.jython.org/issue2454nvdVendor AdvisoryWEB
- www.debian.org/security/2017/dsa-3893nvdThird Party AdvisoryWEB
- bugs.debian.org/cgi-bin/bugreport.cginvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-6r7r-jj8h-pq6vghsaADVISORY
- hg.python.org/jython/file/v2.7.1rc1/NEWSnvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2016-4000ghsaADVISORY
- security-tracker.debian.org/tracker/CVE-2016-4000nvdThird Party AdvisoryWEB
- snyk.io/vuln/SNYK-JAVA-ORGPYTHON-31451nvdThird Party AdvisoryWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlnvdWEB
- lists.apache.org/thread.html/0919ec1db20b1022f22b8e78f355667df74d6142b463ff17d03ad533@%3Cdevnull.infra.apache.org%3EghsaWEB
- security.gentoo.org/glsa/201710-28nvdWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlnvdWEB
- www.oracle.com/security-alerts/cpujan2020.htmlnvdWEB
- www.oracle.com/security-alerts/cpujul2020.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlnvdWEB
- www.securityfocus.com/bid/105647nvd
- lists.apache.org/thread.html/0919ec1db20b1022f22b8e78f355667df74d6142b463ff17d03ad533%40%3Cdevnull.infra.apache.org%3Envd
News mentions
0No linked articles in our index yet.