CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 49 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-37064 | Hig | 0.51 | 7.8 | 0.00 | Jun 4, 2024 | Deseriliazation of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a maliciously crafted dataset to run arbitrary code on an end user's system when loaded. | ||
| CVE-2024-37062 | Hig | 0.51 | 7.8 | 0.00 | Jun 4, 2024 | Deserialization of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a malicously crafted report to run arbitrary code on an end user's system when loaded. | ||
| CVE-2024-2229 | — | Hig | 0.51 | 7.8 | 0.00 | Mar 18, 2024 | CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution when a malicious project file is loaded into the application by a valid user. | |
| CVE-2023-24621 | — | Hig | 0.51 | 7.8 | 0.00 | Aug 25, 2023 | An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed. | |
| CVE-2021-46364 | — | Hig | 0.51 | 7.8 | 0.01 | Feb 11, 2022 | A vulnerability in the Snake YAML parser of Magnolia CMS v6.2.3 and below allows attackers to execute arbitrary code via a crafted YAML file. | |
| CVE-2021-41078 | — | Hig | 0.51 | 7.8 | 0.01 | Oct 26, 2021 | Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file. | |
| CVE-2020-10721 | Hig | 0.51 | 7.8 | 0.01 | Oct 22, 2020 | A flaw was found in the fabric8-maven-plugin 4.0.0 and later. When using a wildfly-swarm or thorntail custom configuration, a malicious YAML configuration file on the local machine executing the maven plug-in could allow for deserialization of untrusted data resulting in… | ||
| CVE-2020-15777 | — | Hig | 0.51 | 7.8 | 0.01 | Aug 25, 2020 | An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. The extension uses a socket connection to send serialized Java objects. Deserialization is not restricted to an allow-list, thus allowing an attacker to achieve code execution via a malicious… | |
| CVE-2020-11113 | Hig | 0.51 | 8.8 | 0.06 | Mar 31, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). | ||
| CVE-2020-10673 | — | Hig | 0.51 | 8.8 | 0.08 | Mar 18, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). | |
| CVE-2018-10513 | Hig | 0.51 | 7.8 | 0.01 | Aug 30, 2018 | A Deserialization of Untrusted Data Privilege Escalation vulnerability in Trend Micro Security 2018 (Consumer) products could allow a local attacker to escalate privileges on vulnerable installations. An attacker must first obtain the ability to execute low-privileged code on… | ||
| CVE-2018-14572 | — | Hig | 0.51 | 7.8 | 0.02 | Aug 28, 2018 | In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call. | |
| CVE-2018-12539 | Hig | 0.51 | 7.8 | 0.00 | Aug 14, 2018 | In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled… | ||
| CVE-2018-14878 | Hig | 0.51 | 7.8 | 0.02 | Aug 13, 2018 | JetBrains dotPeek before 2018.2 and ReSharper Ultimate before 2018.1.4 allow attackers to execute code by decompiling a compiled .NET object (such as a DLL or EXE file) with a specific file, because of Deserialization of Untrusted Data. | ||
| CVE-2018-1000210 | — | Hig | 0.51 | 7.8 | 0.01 | Jul 13, 2018 | YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line "currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);"… | |
| CVE-2017-2608 | — | Hig | 0.51 | 8.8 | 0.06 | May 15, 2018 | Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383). | |
| CVE-2017-13286 | Hig | 0.51 | 7.8 | 0.00 | Apr 4, 2018 | In writeToParcel and readFromParcel of OutputConfiguration.java, there is a permission bypass due to mismatched serialization. This could lead to a local escalation of privilege where the user can start an activity with system privileges, with no additional execution privileges… | ||
| CVE-2017-12628 | Hig | 0.51 | 7.8 | 0.01 | Oct 20, 2017 | The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for… | ||
| CVE-2017-0806 | Hig | 0.51 | 7.8 | 0.01 | Oct 4, 2017 | An elevation of privilege vulnerability in the Android framework (gatekeeperresponse). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-62998805. | ||
| CVE-2017-12612 | Hig | 0.51 | 7.8 | 0.01 | Sep 13, 2017 | In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user… |
- risk 0.51cvss 7.8epss 0.00
Deseriliazation of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a maliciously crafted dataset to run arbitrary code on an end user's system when loaded.
- risk 0.51cvss 7.8epss 0.00
Deserialization of untrusted data can occur in versions 3.7.0 or newer of Ydata's ydata-profiling open-source library, enabling a malicously crafted report to run arbitrary code on an end user's system when loaded.
- risk 0.51cvss 7.8epss 0.00
CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution when a malicious project file is loaded into the application by a valid user.
- risk 0.51cvss 7.8epss 0.00
An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.
- risk 0.51cvss 7.8epss 0.01
A vulnerability in the Snake YAML parser of Magnolia CMS v6.2.3 and below allows attackers to execute arbitrary code via a crafted YAML file.
- risk 0.51cvss 7.8epss 0.01
Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.
- risk 0.51cvss 7.8epss 0.01
A flaw was found in the fabric8-maven-plugin 4.0.0 and later. When using a wildfly-swarm or thorntail custom configuration, a malicious YAML configuration file on the local machine executing the maven plug-in could allow for deserialization of untrusted data resulting in…
- risk 0.51cvss 7.8epss 0.01
An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. The extension uses a socket connection to send serialized Java objects. Deserialization is not restricted to an allow-list, thus allowing an attacker to achieve code execution via a malicious…
- risk 0.51cvss 8.8epss 0.06
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
- risk 0.51cvss 8.8epss 0.08
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
- risk 0.51cvss 7.8epss 0.01
A Deserialization of Untrusted Data Privilege Escalation vulnerability in Trend Micro Security 2018 (Consumer) products could allow a local attacker to escalate privileges on vulnerable installations. An attacker must first obtain the ability to execute low-privileged code on…
- risk 0.51cvss 7.8epss 0.02
In conference-scheduler-cli, a pickle.load call on imported data allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call.
- risk 0.51cvss 7.8epss 0.00
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled…
- risk 0.51cvss 7.8epss 0.02
JetBrains dotPeek before 2018.2 and ReSharper Ultimate before 2018.1.4 allow attackers to execute code by decompiling a compiled .NET object (such as a DLL or EXE file) with a specific file, because of Deserialization of Untrusted Data.
- risk 0.51cvss 7.8epss 0.01
YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line "currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);"…
- risk 0.51cvss 8.8epss 0.06
Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code execution vulnerability involving the deserialization of various types in javax.imageio in XStream-based APIs (SECURITY-383).
- risk 0.51cvss 7.8epss 0.00
In writeToParcel and readFromParcel of OutputConfiguration.java, there is a permission bypass due to mismatched serialization. This could lead to a local escalation of privilege where the user can start an activity with system privileges, with no additional execution privileges…
- risk 0.51cvss 7.8epss 0.01
The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for…
- risk 0.51cvss 7.8epss 0.01
An elevation of privilege vulnerability in the Android framework (gatekeeperresponse). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-62998805.
- risk 0.51cvss 7.8epss 0.01
In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user…