LiveActive security incident?Get immediate response
CVE Record

CVE-2014-9515: Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to...

Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object.

CriticalCVSS 9.8Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

CVE-2014-9515 is a critical Java library risk in Dozer's reflection-based type conversion. A crafted serialized object could let an unauthenticated remote attacker run arbitrary code. The source bundle does not identify exact affected versions, so urgency depends on whether Dozer is present in applications or bundled vendor products.

Executive priority

Prioritize investigation this cycle. The business risk is critical if Dozer is reachable in exposed Java services, but the incomplete affected-version data means teams should first confirm presence and reachability before emergency-wide action.

Technical view

The CVE describes unsafe reflection during Dozer type conversion reachable through crafted serialized objects, with CVSS 9.8 for network, no-auth, no-user-interaction remote code execution. References include DozerMapper issues, a related commit, public research, and Oracle and NetApp advisories, but the provided affected-version metadata is incomplete.

Likely exposure

Exposure is most likely in Java applications or vendor products that include Dozer/DozerMapper and process serialized objects from untrusted or network-adjacent sources. The CVE record's affected product and version fields are listed as n/a, so dependency inventory is required.

Exploitation context

The bundle references public research for Dozer RCE and vendor advisories. CISA KEV is false, and no provided source states active exploitation. Treat exploitability as serious because the CVSS vector is unauthenticated network RCE, but do not claim in-the-wild exploitation from these sources.

Researcher notes

Key gaps are exact affected versions, fixed release mapping, and exploit-in-the-wild evidence. Use the CVE description, DozerMapper issue history, referenced commit, and vendor advisories to build an exposure matrix without assuming all Dozer deployments are vulnerable.

Mitigation direction

  • Inventory Java applications and vendor products for Dozer or DozerMapper dependencies.
  • Check DozerMapper issues, commit history, and vendor advisories for supported fixed versions.
  • Upgrade, replace, or remove vulnerable Dozer components according to vendor guidance.
  • Prevent untrusted serialized objects from reaching Dozer mapping or conversion paths.
  • Prioritize Oracle and NetApp environments only where their advisories confirm exposure.

Validation and detection

  • Review SBOMs, Maven dependency trees, and packaged libraries for Dozer or DozerMapper.
  • Map data flows that deserialize external input before invoking object mapping.
  • Compare deployed versions with DozerMapper guidance and referenced vendor advisories.
  • Confirm whether Oracle or NetApp affected-product notices apply to deployed assets.
  • Document compensating controls where immediate upgrade guidance is unavailable.
Prepared
Confidence
medium
Sources
9

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2014-9515 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
9Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.8CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

9.8Critical
CVSS 3.1 vector shape for CVE-2014-9515Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.