Vulnerabilities (CVE)

Filtered by CWE-502
Total 1452 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-5954 1 Serialize-to-js Project 1 Serialize-to-js 2024-02-28 7.5 HIGH 9.8 CRITICAL
An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Untrusted data passed into the deserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE).
CVE-2016-6199 1 Gradle 1 Gradle 2024-02-28 7.5 HIGH 9.8 CRITICAL
ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object.
CVE-2017-8829 1 Debian 1 Lintian 2024-02-28 6.8 MEDIUM 7.8 HIGH
Deserialization vulnerability in lintian through 2.5.50.3 allows attackers to trigger code execution by requesting a review of a source package with a crafted YAML file.
CVE-2016-8749 1 Apache 1 Camel 2024-02-28 7.5 HIGH 9.8 CRITICAL
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
CVE-2016-9865 1 Phpmyadmin 1 Phpmyadmin 2024-02-28 7.5 HIGH 9.8 CRITICAL
An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
CVE-2016-6809 1 Apache 2 Nutch, Tika 2024-02-28 7.5 HIGH 9.8 CRITICAL
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
CVE-2017-5645 4 Apache, Netapp, Oracle and 1 more 79 Log4j, Oncommand Api Services, Oncommand Insight and 76 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
CVE-2017-5830 1 Revive-adserver 1 Revive Adserver 2024-02-28 7.5 HIGH 9.8 CRITICAL
Revive Adserver before 4.0.1 allows remote attackers to execute arbitrary code via serialized data in the cookies related to the delivery scripts.
CVE-2017-3159 1 Apache 1 Camel 2024-02-28 7.5 HIGH 9.8 CRITICAL
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.
CVE-2016-0779 1 Apache 1 Tomee 2024-02-28 7.5 HIGH 9.8 CRITICAL
The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.
CVE-2017-5929 2 Qos, Redhat 3 Logback, Satellite, Satellite Capsule 2024-02-28 7.5 HIGH 9.8 CRITICAL
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
CVE-2016-7124 1 Php 1 Php 2024-02-28 7.5 HIGH 9.8 CRITICAL
ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.
CVE-2016-6330 1 Redhat 1 Jboss Operations Network 2024-02-28 9.0 HIGH 9.8 CRITICAL
The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3737.
CVE-2016-5019 1 Apache 1 Myfaces Trinidad 2024-02-28 7.5 HIGH 9.8 CRITICAL
CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string.
CVE-2016-4978 2 Apache, Redhat 3 Activemq Artemis, Enterprise Linux Server, Jboss Enterprise Application Platform 2024-02-28 6.0 MEDIUM 7.2 HIGH
The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.
CVE-2016-4385 1 Hp 1 Network Automation 2024-02-28 7.5 HIGH 7.3 HIGH
The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils libraries.
CVE-2015-4852 1 Oracle 3 Storagetek Tape Analytics Sw Tool, Virtual Desktop Infrastructure, Weblogic Server 2024-02-28 7.5 HIGH 9.8 CRITICAL
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
CVE-2016-1114 1 Adobe 1 Coldfusion 2024-02-28 7.5 HIGH 9.8 CRITICAL
Adobe ColdFusion 10 before Update 19, 11 before Update 8, and 2016 before Update 1 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.
CVE-2015-8103 2 Jenkins, Redhat 2 Jenkins, Openshift Container Platform 2024-02-28 7.5 HIGH 9.8 CRITICAL
The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'".
CVE-2015-6420 1 Apache 1 Commons Collections 2024-02-28 7.5 HIGH N/A
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.