Search
Total
31 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-32665 | 1 Gnome | 1 Glib | 2023-11-27 | N/A | 5.5 MEDIUM |
| A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service. | |||||
| CVE-2023-24971 | 1 Ibm | 2 B2b Advanced Communications, Multi-enterprise Integration Gateway | 2023-08-04 | N/A | 6.5 MEDIUM |
| IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 could allow a user to cause a denial of service due to the deserializing of untrusted serialized Java objects. IBM X-Force ID: 246976. | |||||
| CVE-2021-39140 | 5 Debian, Fedoraproject, Netapp and 2 more | 11 Debian Linux, Fedora, Snapmanager and 8 more | 2022-07-25 | 6.3 MEDIUM | 6.3 MEDIUM |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2021-42550 | 3 Netapp, Qos, Redhat | 5 Cloud Manager, Service Level Manager, Snap Creator Framework and 2 more | 2022-07-22 | 8.5 HIGH | 6.6 MEDIUM |
| In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. | |||||
| CVE-2022-20195 | 1 Google | 1 Android | 2022-06-24 | 1.9 LOW | 5.0 MEDIUM |
| In the keystore library, there is a possible prevention of access to system Settings due to unsafe deserialization. This could lead to local denial of service with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-12LAndroid ID: A-213172664 | |||||
| CVE-2021-22095 | 1 Vmware | 1 Spring Advanced Message Queuing Protocol | 2021-12-01 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large message | |||||
| CVE-2021-22097 | 1 Vmware | 1 Spring Advanced Message Queuing Protocol | 2021-11-01 | 6.8 MEDIUM | 6.5 MEDIUM |
| In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100% CPU usage in the application if the toString() method is called. | |||||
| CVE-2021-34394 | 1 Nvidia | 9 Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb, Jetson Agx Xavier 8gb and 6 more | 2021-09-20 | 4.6 MEDIUM | 6.7 MEDIUM |
| Trusty contains a vulnerability in the NVIDIA OTE protocol that is present in all TAs. An incorrect message stream deserialization allows an attacker to use the malicious CA that is run by the user to cause the buffer overflow, which may lead to information disclosure and data modification. | |||||
| CVE-2020-9496 | 1 Apache | 1 Ofbiz | 2021-08-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03 | |||||
| CVE-2020-0132 | 1 Google | 1 Android | 2021-07-21 | 2.1 LOW | 5.5 MEDIUM |
| In BnAAudioService::onTransact of IAAudioService.cpp, there is a possible out of bounds read due to unsafe deserialization. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-139473816 | |||||
| CVE-2019-0305 | 1 Sap | 1 Netweaver Process Integration | 2021-07-21 | 4.3 MEDIUM | 4.3 MEDIUM |
| Java Server Pages (JSPs) provided by the SAP NetWeaver Process Integration (SAP_XIESR and SAP_XITOOL: 7.10 to 7.11, 7.20, 7.30, 7.31, 7.40, 7.50) do not restrict or incorrectly restrict frame objects or UI layers that belong to another application or domain, resulting in Clickjacking vulnerability. Successful exploitation of this vulnerability leads to unwanted modification of user's data. | |||||
| CVE-2021-34393 | 1 Nvidia | 10 Jetson Agx Xavier 16gb, Jetson Agx Xavier 32gb, Jetson Agx Xavier 8gb and 7 more | 2021-06-29 | 2.1 LOW | 4.4 MEDIUM |
| Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure. | |||||
| CVE-2021-1414 | 1 Cisco | 8 Rv340, Rv340 Firmware, Rv340w and 5 more | 2021-06-04 | 6.5 MEDIUM | 6.3 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code with elevated privileges equivalent to the web service process on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device. | |||||
| CVE-2021-1413 | 1 Cisco | 8 Rv340, Rv340 Firmware, Rv340w and 5 more | 2021-06-04 | 6.5 MEDIUM | 6.3 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code with elevated privileges equivalent to the web service process on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device. | |||||
| CVE-2021-1415 | 1 Cisco | 8 Rv340, Rv340 Firmware, Rv340w and 5 more | 2021-06-04 | 6.5 MEDIUM | 6.3 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code with elevated privileges equivalent to the web service process on an affected device. These vulnerabilities exist because HTTP requests are not properly validated. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the web-based management interface of an affected device. A successful exploit could allow the attacker to remotely execute arbitrary code on the device. | |||||
| CVE-2016-10304 | 1 Sap | 1 Netweaver Application Server Java | 2021-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788. | |||||
| CVE-2021-21488 | 1 Sap | 1 Netweaver Knowledge Management | 2021-03-17 | 4.0 MEDIUM | 6.5 MEDIUM |
| Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure deserialization which triggers the attacker’s code, therefore impacting Availability. | |||||
| CVE-2019-12814 | 2 Debian, Fasterxml | 2 Debian Linux, Jackson-databind | 2020-10-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. | |||||
| CVE-2019-12384 | 3 Debian, Fasterxml, Redhat | 3 Debian Linux, Jackson-databind, Enterprise Linux | 2020-10-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. | |||||
| CVE-2019-2391 | 1 Mongodb | 1 Js-bson | 2020-09-29 | 5.5 MEDIUM | 5.4 MEDIUM |
| Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to. | |||||
| CVE-2018-15425 | 1 Cisco | 1 Identity Services Engine | 2020-09-16 | 6.5 MEDIUM | 4.7 MEDIUM |
| A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device with the privileges of the web server. | |||||
| CVE-2013-7489 | 1 Beakerbrowser | 1 Beaker | 2020-07-06 | 5.2 MEDIUM | 6.8 MEDIUM |
| The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution. | |||||
| CVE-2020-12469 | 1 Intelliants | 1 Subrion | 2020-05-05 | 5.5 MEDIUM | 6.5 MEDIUM |
| admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit. | |||||
| CVE-2019-14466 | 2 Debian, Gosa Project | 2 Debian Linux, Gosa | 2020-01-10 | 5.5 MEDIUM | 6.5 MEDIUM |
| The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable to PHP objection injection, which allows a remote authenticated attacker to perform file deletions (in the context of the user account that runs the web server) via a crafted cookie value, because unserialize is used to restore filter settings from a cookie. | |||||
| CVE-2016-8653 | 1 Redhat | 2 Jboss A-mq, Jboss Fuse | 2019-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| It was found that the JMX endpoint of Red Hat JBoss Fuse 6, and Red Hat A-MQ 6 deserializes the credentials passed to it. An attacker could use this flaw to launch a denial of service attack. | |||||
| CVE-2016-9585 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2019-10-09 | 2.6 LOW | 5.3 MEDIUM |
| Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it. An attacker could exploit this vulnerability resulting in a denial of service attack. | |||||
| CVE-2019-9373 | 1 Google | 1 Android | 2019-10-03 | 2.1 LOW | 5.5 MEDIUM |
| In JobStore, there is a mismatched serialization/deserialization for the "battery-not-low" job attribute. This could lead to a local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-130173029 | |||||
| CVE-2017-10803 | 1 Odoo | 1 Odoo | 2019-10-03 | 8.5 HIGH | 6.5 MEDIUM |
| In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used. | |||||
| CVE-2018-1999042 | 1 Jenkins | 1 Jenkins | 2019-05-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability exists in Jenkins 2.137 and earlier, 2.121.2 and earlier in XStream2.java that allows attackers to have Jenkins resolve a domain name when deserializing an instance of java.net.URL. | |||||
| CVE-2017-1000355 | 1 Jenkins | 1 Jenkins | 2018-02-15 | 4.0 MEDIUM | 6.5 MEDIUM |
| Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void. | |||||
| CVE-2017-15703 | 1 Apache | 1 Nifi | 2018-02-12 | 3.5 LOW | 5.0 MEDIUM |
| Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | |||||