Bug 2496197 (CVE-2026-55153)
| Summary: | CVE-2026-55153 com.mchange/mchange-commons-java: mchange-commons-java: Remote code execution via JNDI injection | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abrianik, anthomas, anujha, asoldano, bbaranow, bmaxwell, bstansbe, ccranfor, chfoley, dlofthou, ehelms, fmariani, ggainey, ggrzybek, gmalinko, istudens, ivassile, iweiss, janstey, jpasqual, jpechane, jraez, juwatts, jwon, kgaikwad, mcarlett, mhulan, mosmerov, msvehla, nmoumoul, nwallace, osousa, parichar, pberan, pcreech, pesilva, pjindal, pmackay, rchan, rgodfrey, rstancel, rstepani, smallamp, swoodman, tasato, tcunning, thjenkin, tmalecek, vdosoudi, yfang |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in mchange-commons-java, a Java utility library. This vulnerability allows a remote attacker to achieve arbitrary code execution through Java Naming and Directory Interface (JNDI) injection. The library's JNDI ObjectFactory can construct objects of arbitrary classes and initialize properties, which can be exploited by malicious JNDI Reference objects. This could lead to an attacker executing unauthorized code within the application's security domain.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-07-01 21:02:48 UTC
|