Vulnerabilities (CVE)

Filtered by CWE-502
Total 1487 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-39150 5 Debian, Fedoraproject, Netapp and 2 more 15 Debian Linux, Fedora, Snapmanager and 12 more 2024-11-21 6.0 MEDIUM 8.5 HIGH
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
CVE-2021-39149 5 Debian, Fedoraproject, Netapp and 2 more 15 Debian Linux, Fedora, Snapmanager and 12 more 2024-11-21 6.0 MEDIUM 8.5 HIGH
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-39148 5 Debian, Fedoraproject, Netapp and 2 more 15 Debian Linux, Fedora, Snapmanager and 12 more 2024-11-21 6.0 MEDIUM 8.5 HIGH
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-39147 5 Debian, Fedoraproject, Netapp and 2 more 15 Debian Linux, Fedora, Snapmanager and 12 more 2024-11-21 6.0 MEDIUM 8.5 HIGH
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-39146 5 Debian, Fedoraproject, Netapp and 2 more 15 Debian Linux, Fedora, Snapmanager and 12 more 2024-11-21 6.0 MEDIUM 8.5 HIGH
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-39145 5 Debian, Fedoraproject, Netapp and 2 more 15 Debian Linux, Fedora, Snapmanager and 12 more 2024-11-21 6.0 MEDIUM 8.5 HIGH
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-39144 5 Debian, Fedoraproject, Netapp and 2 more 15 Debian Linux, Fedora, Snapmanager and 12 more 2024-11-21 6.0 MEDIUM 8.5 HIGH
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-39141 5 Debian, Fedoraproject, Netapp and 2 more 15 Debian Linux, Fedora, Snapmanager and 12 more 2024-11-21 6.0 MEDIUM 8.5 HIGH
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-39140 5 Debian, Fedoraproject, Netapp and 2 more 15 Debian Linux, Fedora, Snapmanager and 12 more 2024-11-21 6.3 MEDIUM 6.5 MEDIUM
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-39139 5 Debian, Fedoraproject, Netapp and 2 more 15 Debian Linux, Fedora, Snapmanager and 12 more 2024-11-21 6.5 MEDIUM 8.5 HIGH
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-39132 1 Pagerduty 1 Rundeck 2024-11-21 6.5 MEDIUM 8.8 HIGH
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition. The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:`admin` level access to the `system` resource type. The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions: `create` `update` or `admin` level access to a `project_acl` resource, and/or`create` `update` or `admin` level access to the `system_acl` resource. The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only. Patches are available in versions 3.4.3, 3.3.14
CVE-2021-38585 1 Cpanel 1 Cpanel 2024-11-21 6.5 MEDIUM 7.2 HIGH
The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585).
CVE-2021-38241 1 Ruoyi 1 Ruoyi 2024-11-21 N/A 9.8 CRITICAL
Deserialization issue discovered in Ruoyi before 4.6.1 allows remote attackers to run arbitrary code via weak cipher in Shiro framework.
CVE-2021-37678 1 Google 1 Tensorflow 2024-11-21 4.6 MEDIUM 9.3 CRITICAL
TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/python/keras/saving/model_config.py#L66-L104) uses `yaml.unsafe_load` which can perform arbitrary code execution on the input. Given that YAML format support requires a significant amount of work, we have removed it for now. We have patched the issue in GitHub commit 23d6383eb6c14084a8fc3bdf164043b974818012. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.
CVE-2021-37632 1 Config Lib Project 1 Config Lib 2024-11-21 6.8 MEDIUM 8.1 HIGH
SuperMartijn642's Config Lib is a library used by a number of mods for the game Minecraft. The versions of SuperMartijn642's Config Lib between 1.0.4 and 1.0.8 are affected by a vulnerability and can be exploited on both servers and clients. Using SuperMartijn642's Config Lib, servers will send a packet to clients with the server's config values. In order to read `enum` values from the packet data, `ObjectInputStream#readObject` is used. `ObjectInputStream#readObject` will instantiate a class based on the input data. Since, the packet data is not validated before `ObjectInputStream#readObject` is called, an attacker can instantiate any class by sending a malicious packet. If a suitable class is found, the vulnerability can lead to a number of exploits, including remote code execution. Although the vulnerable packet is typically only send from server to client, it can theoretically also be send from client to server. This means both clients and servers running SuperMartijn642's Config Lib between 1.0.4 and 1.0.8 are vulnerable. The vulnerability has been patched in SuperMartijn642's Config lib 1.0.9. Both, players and server owners, should update to 1.0.9 or higher.
CVE-2021-37579 1 Apache 1 Dubbo 2024-11-21 7.5 HIGH 9.8 CRITICAL
The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization operation with native java serialization. Apache Dubbo 2.7.13, 3.0.2 fixed this issue by quickly fail when any unrecognized request was found.
CVE-2021-37578 1 Apache 1 Juddi 2024-11-21 6.8 MEDIUM 9.8 CRITICAL
Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely. For both jUDDI web service applications and jUDDI clients, the usage of RMI is disabled by default. Since this is an optional feature and an extension to the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI related code was removed.
CVE-2021-37544 1 Jetbrains 1 Teamcity 2024-11-21 7.5 HIGH 9.8 CRITICAL
In JetBrains TeamCity before 2020.2.4, there was an insecure deserialization.
CVE-2021-37181 1 Siemens 3 Cerberus Dms, Desigo Cc, Desigo Cc Compact 2024-11-21 7.5 HIGH 10.0 CRITICAL
A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All versions), Cerberus DMS V5.0 (All versions < v5.0 QU1), Desigo CC Compact V4.0 (All versions), Desigo CC Compact V4.1 (All versions), Desigo CC Compact V4.2 (All versions), Desigo CC Compact V5.0 (All versions < V5.0 QU1), Desigo CC V4.0 (All versions), Desigo CC V4.1 (All versions), Desigo CC V4.2 (All versions), Desigo CC V5.0 (All versions < V5.0 QU1). The application deserialises untrusted data without sufficient validations, that could result in an arbitrary deserialization. This could allow an unauthenticated attacker to execute code in the affected system. The CCOM communication component used for Windows App / Click-Once and IE Web / XBAP client connectivity are affected by the vulnerability.
CVE-2021-36981 1 Sernet 1 Verinice 2024-11-21 9.0 HIGH 8.8 HIGH
In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code.