CVE-2016-4000: Deserialization Gadget

July 6, 2017 (updated April 23, 2019)

This package allows attackers to execute arbitrary code via a crafted serialized PyFunction object.

References

bugs.jython.org/issue2454
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000
github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Jython1.java

Detect and mitigate CVE-2016-4000 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →