CVE-2018-6331

EUVD-2018-18092
Buck parser-cache command loads/saves state using Java serialized object. If the state information is maliciously crafted, deserializing it could lead to code execution. This issue affects Buck versions prior to v2018.06.25.01.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
Affected Products (NVD)
VendorProductVersion
facebookbuck
𝑥
< 2018.06.25.01
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/facebook/buck/commit/8c5500981812564877bd122c0f8fab48d3528ddf
https://github.com/facebook/buck/commit/8c5500981812564877bd122c0f8fab48d3528ddf