VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 52 of 87
  • CVE-2023-39913HigNov 8, 2023
    risk 0.50cvss 8.8epss 0.01

    Deserialization of Untrusted Data, Improper Input Validation vulnerability in Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK, Apache UIMA Java SDK.This issue affects Apache UIMA Java SDK: before 3.5.0. Users are recommended to upgrade to version 3.5.0, which…

  • CVE-2023-40195HigAug 28, 2023
    risk 0.50cvss 8.8epss 0.01

    Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Software Foundation Apache Airflow Spark Provider. When the Apache Spark provider is installed on an Airflow deployment, an Airflow user that is authorized to…

  • CVE-2023-3343HigJul 13, 2023
    risk 0.50cvss 8.8epss 0.01

    The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-pic-url' parameter. This allows authenticated attackers, with subscriber-level permissions and above,…

  • CVE-2023-27296HigMar 27, 2023
    risk 0.50cvss 8.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0. …

  • CVE-2022-3568HigFeb 10, 2023
    risk 0.50cvss 8.8epss 0.01

    The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site…

  • CVE-2022-3525HigNov 20, 2022
    risk 0.50cvss 8.8epss 0.01

    Deserialization of Untrusted Data in GitHub repository librenms/librenms prior to 22.10.0.

  • CVE-2021-25642HigAug 25, 2022
    risk 0.50cvss 8.8epss 0.02

    ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to…

  • CVE-2022-2444HigJul 18, 2022
    risk 0.50cvss 8.8epss 0.02

    The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges…

  • CVE-2022-31115HigJun 30, 2022
    risk 0.50cvss 8.8epss 0.01

    opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. In versions prior to 2.0.1 the ruby `YAML.load` function was used instead of `YAML.safe_load`. As a result opensearch-ruby 2.0.0 and prior can lead to unsafe deserialization using YAML.load if the…

  • CVE-2021-33036HigJun 15, 2022
    risk 0.50cvss 8.8epss 0.03

    In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

  • CVE-2021-43853HigDec 22, 2021
    risk 0.50cvss 8.7epss 0.01

    Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to…

  • CVE-2021-21677HigAug 31, 2021
    risk 0.50cvss 8.8epss 0.02

    Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability.

  • CVE-2021-39132HigAug 30, 2021
    risk 0.50cvss 8.8epss 0.01

    Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted…

  • CVE-2020-17532HigJan 25, 2021
    risk 0.50cvss 8.8epss 0.03

    When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5

  • CVE-2020-15098HigJul 29, 2020
    risk 0.50cvss 8.8epss 0.02

    In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a…

  • CVE-2020-12760HigMay 11, 2020
    risk 0.50cvss 8.8epss 0.03

    An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code…

  • CVE-2020-2189HigMay 6, 2020
    risk 0.50cvss 8.8epss 0.02

    Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2180HigApr 16, 2020
    risk 0.50cvss 8.8epss 0.02

    Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2179HigApr 16, 2020
    risk 0.50cvss 8.8epss 0.03

    Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-11112HigMar 31, 2020
    risk 0.50cvss 8.8epss 0.04

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).