CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 74 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-35839 | — | 0.00 | — | 0.01 | Jun 19, 2023 | A bypass in the component sofa-hessian of Solon before v2.3.3 allows attackers to execute arbitrary code via providing crafted payload. | ||
| CVE-2023-3308 | 0.00 | — | 0.01 | Jun 18, 2023 | A vulnerability classified as problematic has been found in whaleal IceFrog 1.1.8. Affected is an unknown function of the component Aviator Template Engine. The manipulation leads to deserialization. The exploit has been disclosed to the public and may be used. The identifier of… | |||
| CVE-2023-34212 | 0.00 | — | 0.02 | Jun 12, 2023 | The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from… | |||
| CVE-2023-33496 | — | 0.00 | — | 0.01 | Jun 7, 2023 | xxl-rpc v1.7.0 was discovered to contain a deserialization vulnerability via the component com.xxl.rpc.core.remoting.net.impl.netty.codec.NettyDecode#decode. | ||
| CVE-2023-31058 | 0.00 | — | 0.01 | May 22, 2023 | Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers would bypass the 'autoDeserialize' option filtering by adding blanks. Users are advised to upgrade to Apache… | |||
| CVE-2023-31890 | — | 0.00 | — | 0.01 | May 16, 2023 | An XML Deserialization vulnerability in glazedlists v1.11.0 allows an attacker to execute arbitrary code via the BeanXMLByteCoder.decode() parameter. | ||
| CVE-2023-29216 | — | 0.00 | — | 0.02 | Apr 10, 2023 | In Apache Linkis <=1.3.1, because the parameters are not effectively filtered, the attacker uses the MySQL data source and malicious parameters to configure a new data source to trigger a deserialization vulnerability, eventually leading to remote code execution. Versions of… | ||
| CVE-2023-29215 | — | 0.00 | — | 0.02 | Apr 10, 2023 | In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters… | ||
| CVE-2023-28462 | 0.00 | — | 0.01 | Mar 30, 2023 | A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI… | |||
| CVE-2023-27296 | 0.00 | — | 0.01 | Mar 27, 2023 | Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0. … | |||
| CVE-2023-28115 | 0.00 | — | 0.03 | Mar 17, 2023 | Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker… | |||
| CVE-2023-26464 | — | 0.00 | — | 0.02 | Mar 10, 2023 | ** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging… | ||
| CVE-2022-23535 | — | 0.00 | — | 0.01 | Feb 24, 2023 | LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserialization of Untrusted Data. LiteDB uses a special field in JSON documents to cast different types from `BsonDocument` to POCO classes. When instances of an object… | ||
| CVE-2022-48282 | — | 0.00 | — | 0.01 | Feb 21, 2023 | Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver… | ||
| CVE-2022-45982 | 0.00 | — | 0.01 | Feb 8, 2023 | thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload. | |||
| CVE-2023-24997 | 0.00 | — | 0.01 | Feb 1, 2023 | Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7223… | |||
| CVE-2022-44645 | — | 0.00 | — | 0.02 | Jan 31, 2023 | In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters.… | ||
| CVE-2023-24162 | — | 0.00 | — | 0.01 | Jan 31, 2023 | Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter. | ||
| CVE-2023-21538 | 0.00 | — | 0.03 | Jan 10, 2023 | .NET Denial of Service Vulnerability | |||
| CVE-2021-32828 | — | 0.00 | — | 0.01 | Jan 5, 2023 | The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the… |
- CVE-2023-35839Jun 19, 2023risk 0.00cvss —epss 0.01
A bypass in the component sofa-hessian of Solon before v2.3.3 allows attackers to execute arbitrary code via providing crafted payload.
- CVE-2023-3308Jun 18, 2023risk 0.00cvss —epss 0.01
A vulnerability classified as problematic has been found in whaleal IceFrog 1.1.8. Affected is an unknown function of the component Aviator Template Engine. The manipulation leads to deserialization. The exploit has been disclosed to the public and may be used. The identifier of…
- CVE-2023-34212Jun 12, 2023risk 0.00cvss —epss 0.02
The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from…
- CVE-2023-33496Jun 7, 2023risk 0.00cvss —epss 0.01
xxl-rpc v1.7.0 was discovered to contain a deserialization vulnerability via the component com.xxl.rpc.core.remoting.net.impl.netty.codec.NettyDecode#decode.
- CVE-2023-31058May 22, 2023risk 0.00cvss —epss 0.01
Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers would bypass the 'autoDeserialize' option filtering by adding blanks. Users are advised to upgrade to Apache…
- CVE-2023-31890May 16, 2023risk 0.00cvss —epss 0.01
An XML Deserialization vulnerability in glazedlists v1.11.0 allows an attacker to execute arbitrary code via the BeanXMLByteCoder.decode() parameter.
- CVE-2023-29216Apr 10, 2023risk 0.00cvss —epss 0.02
In Apache Linkis <=1.3.1, because the parameters are not effectively filtered, the attacker uses the MySQL data source and malicious parameters to configure a new data source to trigger a deserialization vulnerability, eventually leading to remote code execution. Versions of…
- CVE-2023-29215Apr 10, 2023risk 0.00cvss —epss 0.02
In Apache Linkis <=1.3.1, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in JDBC EengineConn Module will trigger a deserialization vulnerability and eventually lead to remote code execution. Therefore, the parameters…
- CVE-2023-28462Mar 30, 2023risk 0.00cvss —epss 0.01
A JNDI rebind operation in the default ORB listener in Payara Server 4.1.2.191 (Enterprise), 5.20.0 and newer (Enterprise), and 5.2020.1 and newer (Community), when Java 1.8u181 and earlier is used, allows remote attackers to load malicious code on the server once a JNDI…
- CVE-2023-27296Mar 27, 2023risk 0.00cvss —epss 0.01
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. It could be triggered by authenticated users of InLong, you could refer to [1] to know more about this vulnerability. This issue affects Apache InLong: from 1.1.0 through 1.5.0. …
- CVE-2023-28115Mar 17, 2023risk 0.00cvss —epss 0.03
Snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. Prior to version 1.4.2, Snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker…
- CVE-2023-26464Mar 10, 2023risk 0.00cvss —epss 0.02
** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging…
- CVE-2022-23535Feb 24, 2023risk 0.00cvss —epss 0.01
LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserialization of Untrusted Data. LiteDB uses a special field in JSON documents to cast different types from `BsonDocument` to POCO classes. When instances of an object…
- CVE-2022-48282Feb 21, 2023risk 0.00cvss —epss 0.01
Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver…
- CVE-2022-45982Feb 8, 2023risk 0.00cvss —epss 0.01
thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
- CVE-2023-24997Feb 1, 2023risk 0.00cvss —epss 0.01
Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7223…
- CVE-2022-44645Jan 31, 2023risk 0.00cvss —epss 0.02
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters.…
- CVE-2023-24162Jan 31, 2023risk 0.00cvss —epss 0.01
Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter.
- CVE-2023-21538Jan 10, 2023risk 0.00cvss —epss 0.03
.NET Denial of Service Vulnerability
- CVE-2021-32828Jan 5, 2023risk 0.00cvss —epss 0.01
The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the…