Total
1479 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-10750 | 1 Hazelcast | 1 Hazelcast | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code. | |||||
| CVE-2016-10304 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788. | |||||
| CVE-2016-1000027 | 1 Vmware | 1 Spring Framework | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. | |||||
| CVE-2016-0779 | 1 Apache | 1 Tomee | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object. | |||||
| CVE-2016-0750 | 1 Infinispan | 1 Infinispan | 2024-11-21 | 6.5 MEDIUM | 4.2 MEDIUM |
| The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks. | |||||
| CVE-2016-0360 | 1 Ibm | 1 Websphere Mq Jms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457. | |||||
| CVE-2015-8103 | 2 Jenkins, Redhat | 2 Jenkins, Openshift Container Platform | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'". | |||||
| CVE-2015-7501 | 1 Redhat | 15 Data Grid, Jboss A-mq, Jboss Bpm Suite and 12 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. | |||||
| CVE-2015-6420 | 1 Apache | 1 Commons Collections | 2024-11-21 | 7.5 HIGH | N/A |
| Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. | |||||
| CVE-2015-5164 | 2 Pulpproject, Redhat | 2 Qpid, Satellite | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users with administrative access on a managed content host to execute arbitrary code via a crafted message, related to a pickle processing problem in pulp. | |||||
| CVE-2015-4852 | 1 Oracle | 3 Storagetek Tape Analytics Sw Tool, Virtual Desktop Infrastructure, Weblogic Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product. | |||||
| CVE-2015-2020 | 1 Myscript | 1 Myscript | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The MyScript SDK before 1.3 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function. | |||||
| CVE-2014-9515 | 1 Dozer Project | 1 Dozer | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object. | |||||
| CVE-2014-8731 | 1 Phpmemcachedadmin Project | 1 Phpmemcachedadmin | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| PHPMemcachedAdmin 1.2.2 and earlier allows remote attackers to execute arbitrary PHP code via vectors related "serialized data and the last part of the concatenated filename," which creates a file in webroot. | |||||
| CVE-2014-3699 | 1 Redhat | 2 Edeploy, Jboss Enterprise Web Server | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| eDeploy has RCE via cPickle deserialization of untrusted data | |||||
| CVE-2014-1860 | 1 Contao | 1 Contao Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities | |||||
| CVE-2014-1420 | 1 Canonical | 1 Ubuntu-ui-toolkit | 2024-11-21 | 2.1 LOW | 3.8 LOW |
| On desktop, Ubuntu UI Toolkit's StateSaver would serialise data on tmp/ files which an attacker could use to expose potentially sensitive data. StateSaver would also open files without the O_EXCL flag. An attacker could exploit this to launch a symlink attack, though this is partially mitigated by symlink and hardlink restrictions in Ubuntu. Fixed in 1.1.1188+14.10.20140813.4-0ubuntu1. | |||||
| CVE-2013-7489 | 1 Beakerbrowser | 1 Beaker | 2024-11-21 | 5.2 MEDIUM | 6.8 MEDIUM |
| The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution. | |||||
| CVE-2013-4521 | 1 Nuxeo | 1 Nuxeo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. NOTE: this vulnerability may overlap CVE-2013-2165. | |||||
| CVE-2013-4271 | 1 Restlet | 1 Restlet | 2024-11-21 | 7.5 HIGH | N/A |
| The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221. | |||||