Total
1768 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-3202 | 1 Exadel | 1 Flamingo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized. | |||||
| CVE-2017-3201 | 1 Exadel | 1 Flamingo Amf-serializer | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0 derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized. | |||||
| CVE-2017-3200 | 1 Graniteds | 1 Graniteds | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized. | |||||
| CVE-2017-3199 | 1 Graniteds | 1 Graniteds | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExternalizable. A remote attacker with the ability to spoof or control an RMI server connection may be able to send serialized Java objects that execute arbitrary code when deserialized. | |||||
| CVE-2017-2608 | 1 Jenkins | 1 Jenkins | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383). | |||||
| CVE-2017-20189 | 1 Clojure | 1 Clojure | 2024-11-21 | N/A | 9.8 CRITICAL |
| In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. This is relevant if a server deserializes untrusted objects. | |||||
| CVE-2017-1677 | 3 Ibm, Linux, Microsoft | 3 Db2, Linux Kernel, Windows | 2024-11-21 | 4.6 MEDIUM | 7.4 HIGH |
| IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath. IBM X-Force ID: 133999. | |||||
| CVE-2017-18605 | 1 Gravitatedesign | 1 Gravitate Qa Tracker | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The gravitate-qa-tracker plugin through 1.2.1 for WordPress has PHP Object Injection. | |||||
| CVE-2017-18604 | 1 Sitebuilder Dynamic Components Project | 1 Sitebuilder Dynamic Components | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| The sitebuilder-dynamic-components plugin through 1.0 for WordPress has PHP object injection via an AJAX request. | |||||
| CVE-2017-18375 | 1 Ampache | 1 Ampache | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php and democratic.class.php. | |||||
| CVE-2017-18365 | 1 Github | 1 Github | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code. This occurs because the enterprise session secret is always the same, and can be found in the product's source code. By sending a crafted cookie signed with this secret, one can call Marshal.load with arbitrary data, which is a problem because the Marshal data format allows Ruby objects. | |||||
| CVE-2017-18342 | 2 Fedoraproject, Pyyaml | 2 Fedora, Pyyaml | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function. | |||||
| CVE-2017-17485 | 4 Debian, Fasterxml, Netapp and 1 more | 9 Debian Linux, Jackson-databind, E-series Santricity Os Controller and 6 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. | |||||
| CVE-2017-17406 | 1 Netgain-systems | 1 Enterprise Manager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within an exposed RMI registry, which listens on TCP ports 1800 and 1850 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process. Was ZDI-CAN-4753. | |||||
| CVE-2017-15703 | 1 Apache | 1 Nifi | 2024-11-21 | 3.5 LOW | 5.0 MEDIUM |
| Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserialization was applied on the Apache NiFi 1.4.0 release. Users running a prior 1.x release should upgrade to the appropriate release. | |||||
| CVE-2017-15693 | 1 Apache | 1 Geode | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
| In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath. | |||||
| CVE-2017-15692 | 1 Apache | 1 Geode | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath. | |||||
| CVE-2017-15095 | 5 Debian, Fasterxml, Netapp and 2 more | 25 Debian Linux, Jackson-databind, Oncommand Balance and 22 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. | |||||
| CVE-2017-15089 | 1 Infinispan | 1 Infinispan | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. | |||||
| CVE-2017-13286 | 1 Google | 1 Android | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
| In writeToParcel and readFromParcel of OutputConfiguration.java, there is a permission bypass due to mismatched serialization. This could lead to a local escalation of privilege where the user can start an activity with system privileges, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-69683251. | |||||