PatchSiren cyber security CVE debrief
CVE-2016-6199 Gradle CVE debrief
CVE-2016-6199 is a critical remote code execution issue affecting Gradle 2.12. The NVD record describes the flaw as an insecure deserialization problem in ObjectSocketWrapper.java, where a crafted serialized object can let a remote attacker execute arbitrary code. NVD assigns CWE-502 and a CVSS 3.0 score of 9.8, reflecting network attack vector, no privileges, no user interaction, and high impact to confidentiality, integrity, and availability.
- Vendor
- Gradle
- Product
- CVE-2016-6199
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-07
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-07
- Advisory updated
- 2026-05-13
Who should care
Organizations that use Gradle 2.12, especially build and automation environments that accept or process serialized network data. Security teams, DevOps teams, and release engineering owners should care because exploitation could lead to remote code execution on build systems or other Gradle-integrated hosts.
Technical summary
According to the NVD entry, the vulnerable component is ObjectSocketWrapper.java in Gradle 2.12. The issue is categorized as CWE-502 (deserialization of untrusted data). The recorded impact is critical: a remote attacker can trigger arbitrary code execution by supplying a crafted serialized object. The published NVD reference set includes a Gradle discussion thread and a vendor/advisory-style reference associated with Java deserialization in GitHub-related content.
Defensive priority
High. The combination of remote reachability, no authentication requirement, and code execution impact makes this a top-priority remediation item for any environment still running Gradle 2.12 or retaining affected integrations.
Recommended defensive actions
- Inventory build and automation systems to confirm whether Gradle 2.12 is present.
- Upgrade or replace affected Gradle deployments with a version not listed as vulnerable in the NVD record.
- Restrict network exposure of any service or component that processes serialized objects.
- Treat untrusted deserialization as unsafe and remove reliance on it where possible.
- Review build servers for signs of unexpected execution or tampering if exposure occurred before remediation.
- Use the linked Gradle discussion and NVD record to confirm any vendor-specified mitigation or upgrade guidance.
Evidence notes
The CVE description supplied by NVD states that ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. The NVD metadata further classifies the weakness as CWE-502 and lists the vulnerable CPE as gradle:gradle:2.12. The CVSS vector provided is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, supporting a critical severity assessment.
Official resources
-
CVE-2016-6199 CVE record
CVE.org
-
CVE-2016-6199 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Technical Description, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
CVE published: 2017-02-07T15:59:00.427Z. This debrief uses the supplied CVE publication date for timing context and does not infer a later review or generation date as the issue date.