Total
1768 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-39392 | 1 Mylittletools | 1 Mylittlebackup | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code. | |||||
| CVE-2021-39321 | 1 Heateor | 1 Sassy Social Share | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wp_ajax_heateor_sss_import_config AJAX action due to deserialization of unvalidated user supplied inputs via the import_config function found in the ~/admin/class-sassy-social-share-admin.php file. This can be exploited by underprivileged authenticated users due to a missing capability check on the import_config function. | |||||
| CVE-2021-39207 | 1 Facebook | 1 Parlai | 2024-11-21 | 6.5 MEDIUM | 8.4 HIGH |
| parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details. | |||||
| CVE-2021-39154 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2024-11-21 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2021-39153 | 5 Debian, Fedoraproject, Netapp and 2 more | 13 Debian Linux, Fedora, Snapmanager and 10 more | 2024-11-21 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2021-39152 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2024-11-21 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18. | |||||
| CVE-2021-39151 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2024-11-21 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2021-39150 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2024-11-21 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18. | |||||
| CVE-2021-39149 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2024-11-21 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2021-39148 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2024-11-21 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2021-39147 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2024-11-21 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2021-39146 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2024-11-21 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2021-39145 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2024-11-21 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2021-39141 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2024-11-21 | 6.0 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2021-39140 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2024-11-21 | 6.3 MEDIUM | 6.5 MEDIUM |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2021-39139 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2024-11-21 | 6.5 MEDIUM | 8.5 HIGH |
| XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
| CVE-2021-39132 | 1 Pagerduty | 1 Rundeck | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted project archive with a crafted aclpolicy yaml file, that can cause the server to run untrusted code on Rundeck Community or Enterprise Edition. An authenticated user can make a POST request, that can cause the server to run untrusted code on Rundeck Enterprise Edition. The zip-format plugin issues requires authentication and authorization to these access levels, and affects all Rundeck editions:`admin` level access to the `system` resource type. The ACL Policy yaml file upload issues requires authentication and authorization to these access levels, and affects all Rundeck editions: `create` `update` or `admin` level access to a `project_acl` resource, and/or`create` `update` or `admin` level access to the `system_acl` resource. The unauthorized POST request requires authentication, but no specific authorization, and affects Rundeck Enterprise only. Patches are available in versions 3.4.3, 3.3.14 | |||||
| CVE-2021-38585 | 1 Cpanel | 1 Cpanel | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The WHM Locale Upload feature in cPanel before 98.0.1 allows unserialization attacks (SEC-585). | |||||
| CVE-2021-37678 | 1 Google | 1 Tensorflow | 2024-11-21 | 4.6 MEDIUM | 9.3 CRITICAL |
| TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The [implementation](https://github.com/tensorflow/tensorflow/blob/460e000de3a83278fb00b61a16d161b1964f15f4/tensorflow/python/keras/saving/model_config.py#L66-L104) uses `yaml.unsafe_load` which can perform arbitrary code execution on the input. Given that YAML format support requires a significant amount of work, we have removed it for now. We have patched the issue in GitHub commit 23d6383eb6c14084a8fc3bdf164043b974818012. The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range. | |||||
| CVE-2021-37632 | 1 Config Lib Project | 1 Config Lib | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| SuperMartijn642's Config Lib is a library used by a number of mods for the game Minecraft. The versions of SuperMartijn642's Config Lib between 1.0.4 and 1.0.8 are affected by a vulnerability and can be exploited on both servers and clients. Using SuperMartijn642's Config Lib, servers will send a packet to clients with the server's config values. In order to read `enum` values from the packet data, `ObjectInputStream#readObject` is used. `ObjectInputStream#readObject` will instantiate a class based on the input data. Since, the packet data is not validated before `ObjectInputStream#readObject` is called, an attacker can instantiate any class by sending a malicious packet. If a suitable class is found, the vulnerability can lead to a number of exploits, including remote code execution. Although the vulnerable packet is typically only send from server to client, it can theoretically also be send from client to server. This means both clients and servers running SuperMartijn642's Config Lib between 1.0.4 and 1.0.8 are vulnerable. The vulnerability has been patched in SuperMartijn642's Config lib 1.0.9. Both, players and server owners, should update to 1.0.9 or higher. | |||||