Search
Total
426 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-21344 | 4 Debian, Fedoraproject, Oracle and 1 more | 13 Debian Linux, Fedora, Banking Enterprise Default Management and 10 more | 2022-02-16 | 7.5 HIGH | 9.8 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2021-21342 | 4 Debian, Fedoraproject, Oracle and 1 more | 6 Debian Linux, Fedora, Banking Virtual Account Management and 3 more | 2022-02-16 | 5.8 MEDIUM | 9.1 CRITICAL |
| XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16. | |||||
| CVE-2017-5645 | 4 Apache, Netapp, Oracle and 1 more | 60 Log4j, Oncommand Api Services, Oncommand Insight and 57 more | 2022-02-07 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. | |||||
| CVE-2021-45899 | 1 Salesagility | 1 Suitecrm | 2022-02-02 | 7.5 HIGH | 9.8 CRITICAL |
| SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution. | |||||
| CVE-2022-21647 | 1 Codeigniter | 1 Codeigniter | 2022-01-20 | 7.5 HIGH | 9.8 CRITICAL |
| CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection. Users are advised to upgrade to v4.1.6 or later. Users unable to upgrade as advised to not use the `old()` function and form_helper nor `RedirectResponse::withInput()` and `redirect()->withInput()`. | |||||
| CVE-2021-43297 | 1 Apache | 1 Dubbo | 2022-01-18 | 7.5 HIGH | 9.8 CRITICAL |
| A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5. | |||||
| CVE-2020-9493 | 1 Apache | 1 Chainsaw | 2022-01-18 | 6.8 MEDIUM | 9.8 CRITICAL |
| A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution. | |||||
| CVE-2018-1000613 | 4 Bouncycastle, Netapp, Opensuse and 1 more | 24 Legion-of-the-bouncy-castle-java-crytography-api, Oncommand Workflow Automation, Leap and 21 more | 2022-01-14 | 7.5 HIGH | 9.8 CRITICAL |
| Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later. | |||||
| CVE-2021-44029 | 1 Quest | 1 Kace Desktop Authority | 2022-01-03 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Quest KACE Desktop Authority before 11.2. This vulnerability allows attackers to execute remote code through a deserialization exploitation in the RadAsyncUpload function of ASP.NET AJAX. An attacker can leverage this vulnerability when the encryption keys are known (due to the presence of CVE-2017-11317, CVE-2017-11357, or other means). A default setting for the type whitelisting feature in more current versions of ASP.NET AJAX prevents exploitation. | |||||
| CVE-2019-20477 | 2 Fedoraproject, Pyyaml | 2 Fedora, Pyyaml | 2022-01-01 | 7.5 HIGH | 9.8 CRITICAL |
| PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342. | |||||
| CVE-2021-36336 | 1 Dell | 1 Wyse Management Suite | 2021-12-27 | 7.5 HIGH | 9.8 CRITICAL |
| Wyse Management Suite 3.3.1 and below versions contain a deserialization vulnerability that could allow an unauthenticated attacker to execute code on the affected system. | |||||
| CVE-2021-44681 | 1 Veritas | 1 Enterprise Vault | 2021-12-23 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue (5 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14080). | |||||
| CVE-2021-44680 | 1 Veritas | 1 Enterprise Vault | 2021-12-23 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue (4 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14075). | |||||
| CVE-2021-44678 | 1 Veritas | 1 Enterprise Vault | 2021-12-23 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue (2 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14076). | |||||
| CVE-2021-44677 | 1 Veritas | 1 Enterprise Vault | 2021-12-23 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue (1 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14078). | |||||
| CVE-2021-44682 | 1 Veritas | 1 Enterprise Vault | 2021-12-23 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue (6 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14079). | |||||
| CVE-2021-44679 | 1 Veritas | 1 Enterprise Vault | 2021-12-23 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue (3 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14074). | |||||
| CVE-2021-24857 | 1 Nocean | 1 Totop Link | 2021-12-16 | 7.5 HIGH | 9.8 CRITICAL |
| The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain. | |||||
| CVE-2021-42127 | 1 Ivanti | 1 Avalanche | 2021-12-08 | 7.5 HIGH | 9.8 CRITICAL |
| A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service. | |||||
| CVE-2021-37298 | 1 Laravel | 1 Laravel | 2021-12-07 | 7.5 HIGH | 9.8 CRITICAL |
| Laravel v5.1 was discovered to contain a deserialization vulnerability via the component \Mockery\Generator\DefinedTargetClass. | |||||
| CVE-2021-36567 | 1 Thinkphp | 1 Thinkphp | 2021-12-07 | 10.0 HIGH | 9.8 CRITICAL |
| ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache. | |||||
| CVE-2021-36564 | 1 Thinkphp | 1 Thinkphp | 2021-12-07 | 7.5 HIGH | 9.8 CRITICAL |
| ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php. | |||||
| CVE-2021-42237 | 1 Sitecore | 1 Experience Platform | 2021-12-03 | 10.0 HIGH | 9.8 CRITICAL |
| Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. | |||||
| CVE-2020-9548 | 4 Debian, Fasterxml, Netapp and 1 more | 25 Debian Linux, Jackson-databind, Active Iq Unified Manager and 22 more | 2021-12-02 | 6.8 MEDIUM | 9.8 CRITICAL |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). | |||||
| CVE-2020-9547 | 4 Debian, Fasterxml, Netapp and 1 more | 16 Debian Linux, Jackson-databind, Active Iq Unified Manager and 13 more | 2021-12-02 | 6.8 MEDIUM | 9.8 CRITICAL |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). | |||||
| CVE-2020-9546 | 4 Debian, Fasterxml, Netapp and 1 more | 31 Debian Linux, Jackson-databind, Active Iq Unified Manager and 28 more | 2021-12-02 | 6.8 MEDIUM | 9.8 CRITICAL |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). | |||||
| CVE-2019-19810 | 1 Eleveo | 1 Call Recording | 2021-11-30 | 10.0 HIGH | 10.0 CRITICAL |
| Zoom Call Recording 6.3.1 from Eleveo is vulnerable to Java Deserialization attacks targeting the inbuilt RMI service. A remote unauthenticated attacker can exploit this vulnerability by sending crafted RMI requests to execute arbitrary code on the target host. | |||||
| CVE-2021-40719 | 1 Adobe | 1 Connect | 2021-11-30 | 7.5 HIGH | 9.8 CRITICAL |
| Adobe Connect version 11.2.3 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary method invocation when AMF messages are deserialized on an Adobe Connect server. An attacker can leverage this to execute remote code execution on the server. | |||||
| CVE-2021-40865 | 1 Apache | 1 Storm | 2021-10-28 | 7.5 HIGH | 9.8 CRITICAL |
| An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4 | |||||
| CVE-2021-40720 | 1 Adobe | 1 Ops-cli | 2021-10-20 | 10.0 HIGH | 9.8 CRITICAL |
| Ops CLI version 2.0.4 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary code execution when the checkout_repo function is called on a maliciously crafted file. An attacker can leverage this to execute arbitrary code on the victim machine. | |||||
| CVE-2019-15780 | 1 Strategy11 | 1 Formidable Form Builder | 2021-10-14 | 7.5 HIGH | 9.8 CRITICAL |
| The formidable plugin before 4.02.01 for WordPress has unsafe deserialization. | |||||
| CVE-2021-42090 | 1 Zammad | 1 Zammad | 2021-10-14 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zammad before 4.1.1. The Form functionality allows remote code execution because deserialization is mishandled. | |||||
| CVE-2021-41110 | 1 Commonwl | 1 Cwlviewer | 2021-10-08 | 7.5 HIGH | 9.8 CRITICAL |
| cwlviewer is a web application to view and share Common Workflow Language workflows. Versions prior to 1.3.1 contain a Deserialization of Untrusted Data vulnerability. Commit number f6066f09edb70033a2ce80200e9fa9e70a5c29de (dated 2021-09-30) contains a patch. There are no available workarounds aside from installing the patch. The SnakeYaml constructor, by default, allows any data to be parsed. To fix the issue the object needs to be created with a `SafeConstructor` object, as seen in the patch. | |||||
| CVE-2021-41616 | 1 Apache | 1 Ddlutils | 2021-10-07 | 7.5 HIGH | 9.8 CRITICAL |
| Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for use when migrating database data with a SQL data type of BINARY, VARBINARY, LONGVARBINARY, or BLOB between databases using the ddlutils features. The BinaryObjectsHelper class was insecure and used ObjectInputStream.readObject without validating that the input data was safe to deserialize. Please note that DdlUtils is no longer being actively developed. To address the insecurity of the BinaryObjectHelper class, the following changes to DdlUtils have been made: (1) BinaryObjectsHelper.java has been deleted from the DdlUtils source repository and the DdlUtils feature of propagating data of SQL binary types is therefore no longer present in DdlUtils; (2) The ddlutils-1.0 release has been removed from the Apache Release Distribution Infrastructure; (3) The DdlUtils web site has been updated to indicate that DdlUtils is now available only as source code, not as a packaged release. | |||||
| CVE-2021-39392 | 1 Mylittletools | 1 Mylittlebackup | 2021-10-07 | 7.5 HIGH | 9.8 CRITICAL |
| The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code. | |||||
| CVE-2019-11831 | 5 Debian, Drupal, Fedoraproject and 2 more | 5 Debian Linux, Drupal, Fedora and 2 more | 2021-10-01 | 7.5 HIGH | 9.8 CRITICAL |
| The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1.1 and 3.x before 3.1.1 for TYPO3 does not prevent directory traversal, which allows attackers to bypass a deserialization protection mechanism, as demonstrated by a phar:///path/bad.phar/../good.phar URL. | |||||
| CVE-2021-40102 | 1 Concretecms | 1 Concrete Cms | 2021-09-30 | 6.4 MEDIUM | 9.1 CRITICAL |
| An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method). | |||||
| CVE-2021-31819 | 1 Octopus | 1 Halibut | 2021-09-29 | 10.0 HIGH | 9.8 CRITICAL |
| In Halibut versions prior to 4.4.7 there is a deserialisation vulnerability that could allow remote code execution on systems that already trust each other based on certificate verification. | |||||
| CVE-2021-37181 | 1 Siemens | 3 Cerberus Dms, Desigo Cc, Desigo Cc Compact | 2021-09-24 | 7.5 HIGH | 10.0 CRITICAL |
| A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions < v5.0 QU1), Desigo CC Compact V4.0 (All versions), Desigo CC Compact V4.1 (All versions), Desigo CC Compact V4.2 (All versions), Desigo CC Compact V5.0 (All versions < V5.0 QU1), Desigo CC V4.0 (All versions), Desigo CC V4.1 (All versions), Desigo CC V4.2 (All versions), Desigo CC V5.0 (All versions < V5.0 QU1). The application deserialises untrusted data without sufficient validations, that could result in an arbitrary deserialization. This could allow an unauthenticated attacker to execute code in the affected system. The CCOM communication component used for Windows App / Click-Once and IE Web / XBAP client connectivity are affected by the vulnerability. | |||||
| CVE-2021-24040 | 1 Facebook | 1 Parlai | 2021-09-24 | 7.5 HIGH | 9.8 CRITICAL |
| Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0. | |||||
| CVE-2017-5929 | 2 Qos, Redhat | 3 Logback, Satellite, Satellite Capsule | 2021-09-23 | 7.5 HIGH | 9.8 CRITICAL |
| QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. | |||||
| CVE-2021-3287 | 1 Zohocorp | 1 Manageengine Opmanager | 2021-09-22 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class. | |||||
| CVE-2021-30128 | 1 Apache | 1 Ofbiz | 2021-09-20 | 10.0 HIGH | 9.8 CRITICAL |
| Apache OFBiz has unsafe deserialization prior to 17.12.07 version | |||||
| CVE-2021-29200 | 1 Apache | 1 Ofbiz | 2021-09-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack | |||||
| CVE-2021-37579 | 1 Apache | 1 Dubbo | 2021-09-17 | 7.5 HIGH | 9.8 CRITICAL |
| The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found. | |||||
| CVE-2021-26295 | 1 Apache | 1 Ofbiz | 2021-09-16 | 7.5 HIGH | 9.8 CRITICAL |
| Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz. | |||||
| CVE-2021-36163 | 1 Apache | 1 Dubbo | 2021-09-14 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without applying the dubbo properties for applying allowed or blocked type lists. In addition, the generic service is always exposed and therefore attackers do not need to figure out a valid service/method name pair. This is fixed in 2.7.13, 2.6.10.1 | |||||
| CVE-2021-34066 | 1 Edgegallery | 1 Developer-be | 2021-09-07 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in EdgeGallery/developer before v1.0. There is a "Deserialization of yaml file" vulnerability that can allow attackers to execute system command through uploading the malicious constructed YAML file. | |||||
| CVE-2021-21741 | 1 Zte | 2 Zxv10 M910, Zxv10 M910 Firmware | 2021-09-07 | 7.5 HIGH | 9.8 CRITICAL |
| A conference management system of ZTE is impacted by a command execution vulnerability. Since the soapmonitor's java object service is enabled by default, the attacker could exploit this vulnerability to execute arbitrary commands by sending a deserialized payload to port 5001. | |||||
| CVE-2021-23420 | 1 Codeception | 1 Codeception | 2021-08-19 | 10.0 HIGH | 9.8 CRITICAL |
| This affects the package codeception/codeception from 4.0.0 and before 4.1.22, before 3.1.3. The RunProcess class can be leveraged as a gadget to run arbitrary commands on a system that is deserializing user input without validation. | |||||