CVE-2018-6331

Buck parser-cache command loads/saves state using Java serialized object. If the state information is maliciously crafted, deserializing it could lead to code execution. This issue affects Buck versions prior to v2018.06.25.01.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
facebookCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
VendorProductVersion
facebookbuck
𝑥
< 2018.06.25.01
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/facebook/buck/commit/8c5500981812564877bd122c0f8fab48d3528ddf
https://github.com/facebook/buck/commit/8c5500981812564877bd122c0f8fab48d3528ddf