VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 38 of 87
  • CVE-2022-2434HigSep 6, 2022
    risk 0.57cvss 8.8epss 0.01

    The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick…

  • CVE-2022-37022HigAug 31, 2022
    risk 0.57cvss 8.8epss 0.01

    Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java…

  • CVE-2022-2437CriJul 18, 2022
    risk 0.57cvss 9.8epss 0.01

    The Feed Them Social – for Twitter feed, Youtube and more plugin for WordPress is vulnerable to deserialization of untrusted input via the 'fts_url' parameter in versions up to, and including 2.9.8.5. This makes it possible for unauthenticated attackers to call files using a…

  • CVE-2022-31605CriJul 1, 2022
    risk 0.57cvss 9.8epss 0.02

    NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of…

  • CVE-2022-31604CriJul 1, 2022
    risk 0.57cvss 9.8epss 0.02

    NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code…

  • CVE-2022-32511CriJun 6, 2022
    risk 0.57cvss 9.8epss 0.02

    jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a situation where JSON.parse is preferable.

  • CVE-2022-24289HigFeb 11, 2022
    risk 0.57cvss 8.8epss 0.02

    Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache…

  • CVE-2021-39141HigAug 23, 2021
    risk 0.57cvss 8.5epss 0.16

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…

  • CVE-2021-37578CriJul 29, 2021
    risk 0.57cvss 9.8epss 0.04

    Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote…

  • CVE-2020-36326CriApr 28, 2021
    risk 0.57cvss 9.8epss 0.03

    PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by…

  • CVE-2021-29476CriApr 27, 2021
    risk 0.57cvss 9.8epss 0.02

    Requests is a HTTP library written in PHP. Requests mishandles deserialization in FilteredIterator. The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0.

  • CVE-2020-36282CriMar 12, 2021
    risk 0.57cvss 9.8epss 0.03

    JMS Client for RabbitMQ 1.x before 1.15.2 and 2.x before 2.2.0 is vulnerable to unsafe deserialization that can result in code execution via crafted StreamMessage data.

  • CVE-2020-23653CriJan 13, 2021
    risk 0.57cvss 9.8epss 0.04

    An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php, which may lead to arbitrary remote code execution.

  • CVE-2020-11995CriJan 11, 2021
    risk 0.57cvss 9.8epss 0.06

    A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in…

  • CVE-2019-7725CriDec 31, 2020
    risk 0.57cvss 9.8epss 0.03

    includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).

  • CVE-2020-15148HigSep 15, 2020
    risk 0.57cvss 8.9epss 0.79

    Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.

  • CVE-2020-5413CriJul 31, 2020
    risk 0.57cvss 9.8epss 0.04

    Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data…

  • CVE-2020-15086CriJul 29, 2020
    risk 0.57cvss 9.8epss 0.03

    In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message…

  • CVE-2020-2211HigJul 2, 2020
    risk 0.57cvss 8.8epss 0.02

    Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2018-21234CriMay 21, 2020
    risk 0.57cvss 9.8epss 0.08

    Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set.