CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 18 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-12633 | Cri | 0.64 | 9.8 | 0.07 | Nov 15, 2017 | The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. | ||
| CVE-2017-12796 | Cri | 0.64 | 9.8 | 0.04 | Oct 23, 2017 | The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute… | ||
| CVE-2016-8736 | Cri | 0.64 | 9.8 | 0.05 | Oct 12, 2017 | Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack. | ||
| CVE-2017-10932 | Cri | 0.64 | 9.8 | 0.04 | Sep 28, 2017 | All versions prior to V12.17.20 of the ZTE Microwave NR8000 series products - NR8120, NR8120A, NR8120, NR8150, NR8250, NR8000 TR and NR8950 are the applications of C/S architecture using the Java RMI service in which the servers use the Apache Commons Collections (ACC) library… | ||
| CVE-2017-14035 | Cri | 0.64 | 9.8 | 0.02 | Aug 30, 2017 | CrushFTP 8.x before 8.2.0 has a serialization vulnerability. | ||
| CVE-2017-9785 | Cri | 0.64 | 9.8 | 0.03 | Jul 20, 2017 | Csrf.cs in NancyFX Nancy before 1.4.4 and 2.x before 2.0-dangermouse has Remote Code Execution via Deserialization of JSON data in a CSRF Cookie. | ||
| CVE-2016-4000 | Cri | 0.64 | 9.8 | 0.07 | Jul 6, 2017 | Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object. | ||
| CVE-2017-9830 | Cri | 0.64 | 9.8 | 0.06 | Jun 27, 2017 | Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the org.apache.commons.ssl.rmi.DateRMI Java class, because (upon instantiation) it creates an RMI server that listens on a TCP port and deserializes objects sent by TCP clients. | ||
| CVE-2017-9424 | Cri | 0.64 | 9.8 | 0.03 | Jun 22, 2017 | IdeaBlade Breeze Breeze.Server.NET before 1.6.5 allows remote attackers to execute arbitrary code, related to use of TypeNameHandling in JSON deserialization. | ||
| CVE-2016-7050 | Cri | 0.64 | 9.8 | 0.05 | Jun 8, 2017 | SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to execute arbitrary code. | ||
| CVE-2016-3690 | Cri | 0.64 | 9.8 | 0.05 | Jun 8, 2017 | The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload. | ||
| CVE-2017-5878 | Cri | 0.64 | 9.8 | 0.03 | Jun 8, 2017 | The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data. | ||
| CVE-2017-9363 | Cri | 0.64 | 9.8 | 0.03 | Jun 2, 2017 | Untrusted Java serialization in Soffid IAM console before 1.7.5 allows remote attackers to achieve arbitrary remote code execution via a crafted authentication request. | ||
| CVE-2016-0779 | Cri | 0.64 | 9.8 | 0.10 | Apr 11, 2017 | The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object. | ||
| CVE-2017-5830 | Cri | 0.64 | 9.8 | 0.03 | Mar 3, 2017 | Revive Adserver before 4.0.1 allows remote attackers to execute arbitrary code via serialized data in the cookies related to the delivery scripts. | ||
| CVE-2016-0360 | Cri | 0.64 | 9.8 | 0.03 | Feb 15, 2017 | IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457. | ||
| CVE-2016-6199 | Cri | 0.64 | 9.8 | 0.05 | Feb 7, 2017 | ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. | ||
| CVE-2016-9865 | Cri | 0.64 | 9.8 | 0.02 | Dec 11, 2016 | An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18)… | ||
| CVE-2016-6620 | Cri | 0.64 | 9.8 | 0.03 | Dec 11, 2016 | An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize() function without verification that it's valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x… | ||
| CVE-2016-5019 | Cri | 0.64 | 9.8 | 0.08 | Oct 3, 2016 | CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string. |
- risk 0.64cvss 9.8epss 0.07
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
- risk 0.64cvss 9.8epss 0.04
The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute…
- risk 0.64cvss 9.8epss 0.05
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
- risk 0.64cvss 9.8epss 0.04
All versions prior to V12.17.20 of the ZTE Microwave NR8000 series products - NR8120, NR8120A, NR8120, NR8150, NR8250, NR8000 TR and NR8950 are the applications of C/S architecture using the Java RMI service in which the servers use the Apache Commons Collections (ACC) library…
- risk 0.64cvss 9.8epss 0.02
CrushFTP 8.x before 8.2.0 has a serialization vulnerability.
- risk 0.64cvss 9.8epss 0.03
Csrf.cs in NancyFX Nancy before 1.4.4 and 2.x before 2.0-dangermouse has Remote Code Execution via Deserialization of JSON data in a CSRF Cookie.
- risk 0.64cvss 9.8epss 0.07
Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object.
- risk 0.64cvss 9.8epss 0.06
Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the org.apache.commons.ssl.rmi.DateRMI Java class, because (upon instantiation) it creates an RMI server that listens on a TCP port and deserializes objects sent by TCP clients.
- risk 0.64cvss 9.8epss 0.03
IdeaBlade Breeze Breeze.Server.NET before 1.6.5 allows remote attackers to execute arbitrary code, related to use of TypeNameHandling in JSON deserialization.
- risk 0.64cvss 9.8epss 0.05
SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to execute arbitrary code.
- risk 0.64cvss 9.8epss 0.05
The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.
- risk 0.64cvss 9.8epss 0.03
The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.
- risk 0.64cvss 9.8epss 0.03
Untrusted Java serialization in Soffid IAM console before 1.7.5 allows remote attackers to achieve arbitrary remote code execution via a crafted authentication request.
- risk 0.64cvss 9.8epss 0.10
The EjbObjectInputStream class in Apache TomEE before 1.7.4 and 7.x before 7.0.0-M3 allows remote attackers to execute arbitrary code via a crafted serialized object.
- risk 0.64cvss 9.8epss 0.03
Revive Adserver before 4.0.1 allows remote attackers to execute arbitrary code via serialized data in the cookies related to the delivery scripts.
- risk 0.64cvss 9.8epss 0.03
IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457.
- risk 0.64cvss 9.8epss 0.05
ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object.
- risk 0.64cvss 9.8epss 0.02
An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18)…
- risk 0.64cvss 9.8epss 0.03
An issue was discovered in phpMyAdmin. Some data is passed to the PHP unserialize() function without verification that it's valid serialized data. The unserialization can result in code execution because of the interaction with object instantiation and autoloading. All 4.6.x…
- risk 0.64cvss 9.8epss 0.08
CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string.