Total
1397 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2016-0360 | 1 Ibm | 1 Websphere Mq Jms | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457. | |||||
CVE-2017-3066 | 1 Adobe | 1 Coldfusion | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution. | |||||
CVE-2016-6620 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize() function without verification that it's valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. | |||||
CVE-2014-8731 | 1 Phpmemcachedadmin Project | 1 Phpmemcachedadmin | 2024-02-28 | 10.0 HIGH | 9.8 CRITICAL |
PHPMemcachedAdmin 1.2.2 and earlier allows remote attackers to execute arbitrary PHP code via vectors related "serialized data and the last part of the concatenated filename," which creates a file in webroot. | |||||
CVE-2017-5983 | 1 Atlassian | 1 Jira | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object. | |||||
CVE-2017-5954 | 1 Serialize-to-js Project | 1 Serialize-to-js | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Untrusted data passed into the deserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE). | |||||
CVE-2016-6199 | 1 Gradle | 1 Gradle | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. | |||||
CVE-2017-8829 | 1 Debian | 1 Lintian | 2024-02-28 | 6.8 MEDIUM | 7.8 HIGH |
Deserialization vulnerability in lintian through 2.5.50.3 allows attackers to trigger code execution by requesting a review of a source package with a crafted YAML file. | |||||
CVE-2016-8749 | 1 Apache | 1 Camel | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. | |||||
CVE-2016-9865 | 1 Phpmyadmin | 1 Phpmyadmin | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. | |||||
CVE-2016-6809 | 1 Apache | 2 Nutch, Tika | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization. | |||||
CVE-2017-5645 | 4 Apache, Netapp, Oracle and 1 more | 79 Log4j, Oncommand Api Services, Oncommand Insight and 76 more | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. | |||||
CVE-2017-5830 | 1 Revive-adserver | 1 Revive Adserver | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Revive Adserver before 4.0.1 allows remote attackers to execute arbitrary code via serialized data in the cookies related to the delivery scripts. | |||||
CVE-2017-3159 | 1 Apache | 1 Camel | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. | |||||
CVE-2016-0779 | 1 Apache | 1 Tomee | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object. | |||||
CVE-2017-5929 | 2 Qos, Redhat | 3 Logback, Satellite, Satellite Capsule | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. | |||||
CVE-2016-7124 | 1 Php | 1 Php | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call. | |||||
CVE-2016-6330 | 1 Redhat | 1 Jboss Operations Network | 2024-02-28 | 9.0 HIGH | 9.8 CRITICAL |
The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3737. | |||||
CVE-2016-5019 | 1 Apache | 1 Myfaces Trinidad | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string. | |||||
CVE-2016-4978 | 2 Apache, Redhat | 3 Activemq Artemis, Enterprise Linux Server, Jboss Enterprise Application Platform | 2024-02-28 | 6.0 MEDIUM | 7.2 HIGH |
The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath. |