CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 75 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-32824 | 0.00 | — | 0.03 | Jan 3, 2023 | Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers… | |||
| CVE-2022-41966 | 0.00 | — | 0.09 | Dec 27, 2022 | XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code… | |||
| CVE-2020-10650 | — | 0.00 | — | 0.03 | Dec 26, 2022 | A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory,… | ||
| CVE-2021-33420 | 0.00 | — | 0.02 | Dec 15, 2022 | A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable function in TypedArray object. | |||
| CVE-2022-46366 | 0.00 | — | 0.04 | Dec 2, 2022 | Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version… | |||
| CVE-2022-41922 | — | 0.00 | — | 0.01 | Nov 23, 2022 | `yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27. | ||
| CVE-2022-3525 | 0.00 | — | 0.01 | Nov 20, 2022 | Deserialization of Untrusted Data in GitHub repository librenms/librenms prior to 22.10.0. | |||
| CVE-2022-45378 | 0.00 | — | 0.02 | Nov 14, 2022 | In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even… | |||
| CVE-2022-45136 | 0.00 | — | 0.02 | Nov 14, 2022 | Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of… | |||
| CVE-2022-39379 | — | 0.00 | — | 0.45 | Nov 2, 2022 | Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially… | ||
| CVE-2022-42468 | — | 0.00 | — | 0.03 | Oct 26, 2022 | Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol. | ||
| CVE-2022-39944 | — | 0.00 | — | 0.02 | Oct 26, 2022 | In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore,… | ||
| CVE-2022-39312 | 0.00 | — | 0.01 | Oct 25, 2022 | Dataease is an open source data visualization analysis tool. Dataease prior to 1.15.2 has a deserialization vulnerability. In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected. In… | |||
| CVE-2022-39297 | 0.00 | — | 0.01 | Oct 12, 2022 | MelisCms provides a full CMS for Melis Platform, including templating system, drag'n'drop of plugins, SEO and many administration tools. Attackers can deserialize arbitrary data on affected versions of `melisplatform/melis-cms`, and ultimately leads to the execution of arbitrary… | |||
| CVE-2022-39298 | 0.00 | — | 0.01 | Oct 12, 2022 | MelisFront is the engine that displays website hosted on Melis Platform. It deals with showing pages, plugins, URL rewritting, search optimization and SEO, etc. Attackers can deserialize arbitrary data on affected versions of `melisplatform/melis-front`, and ultimately leads to… | |||
| CVE-2022-42004 | 0.00 | — | 0.03 | Oct 2, 2022 | In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. | |||
| CVE-2022-42003 | 0.00 | — | 0.03 | Oct 2, 2022 | In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. | |||
| CVE-2022-39256 | 0.00 | — | 0.01 | Sep 27, 2022 | Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated… | |||
| CVE-2022-36944 | — | 0.00 | — | 0.08 | Sep 23, 2022 | Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary… | ||
| CVE-2022-41237 | 0.00 | — | 0.01 | Sep 21, 2022 | Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. |
- CVE-2021-32824Jan 3, 2023risk 0.00cvss —epss 0.03
Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers…
- CVE-2022-41966Dec 27, 2022risk 0.00cvss —epss 0.09
XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code…
- CVE-2020-10650Dec 26, 2022risk 0.00cvss —epss 0.03
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory,…
- CVE-2021-33420Dec 15, 2022risk 0.00cvss —epss 0.02
A deserialization issue discovered in inikulin replicator before 1.0.4 allows remote attackers to run arbitrary code via the fromSerializable function in TypedArray object.
- CVE-2022-46366Dec 2, 2022risk 0.00cvss —epss 0.04
Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version…
- CVE-2022-41922Nov 23, 2022risk 0.00cvss —epss 0.01
`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.
- CVE-2022-3525Nov 20, 2022risk 0.00cvss —epss 0.01
Deserialization of Untrusted Data in GitHub repository librenms/librenms prior to 22.10.0.
- CVE-2022-45378Nov 14, 2022risk 0.00cvss —epss 0.02
In the default configuration of Apache SOAP, an RPCRouterServlet is available without authentication. This gives an attacker the possibility to invoke methods on the classpath that meet certain criteria. Depending on what classes are available on the classpath this might even…
- CVE-2022-45136Nov 14, 2022risk 0.00cvss —epss 0.02
Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deserialisation attack if the attacker is able to control the JDBC URL used or cause the underlying database server to return malicious data. The mySQL JDBC driver in particular is known to be vulnerable to this class of…
- CVE-2022-39379Nov 2, 2022risk 0.00cvss —epss 0.45
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially…
- CVE-2022-42468Oct 26, 2022risk 0.00cvss —epss 0.03
Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with an unsafe providerURL. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.
- CVE-2022-39944Oct 26, 2022risk 0.00cvss —epss 0.02
In Apache Linkis <=1.2.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures a JDBC EC with a MySQL data source and malicious parameters. Therefore,…
- CVE-2022-39312Oct 25, 2022risk 0.00cvss —epss 0.01
Dataease is an open source data visualization analysis tool. Dataease prior to 1.15.2 has a deserialization vulnerability. In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected. In…
- CVE-2022-39297Oct 12, 2022risk 0.00cvss —epss 0.01
MelisCms provides a full CMS for Melis Platform, including templating system, drag'n'drop of plugins, SEO and many administration tools. Attackers can deserialize arbitrary data on affected versions of `melisplatform/melis-cms`, and ultimately leads to the execution of arbitrary…
- CVE-2022-39298Oct 12, 2022risk 0.00cvss —epss 0.01
MelisFront is the engine that displays website hosted on Melis Platform. It deals with showing pages, plugins, URL rewritting, search optimization and SEO, etc. Attackers can deserialize arbitrary data on affected versions of `melisplatform/melis-front`, and ultimately leads to…
- CVE-2022-42004Oct 2, 2022risk 0.00cvss —epss 0.03
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
- CVE-2022-42003Oct 2, 2022risk 0.00cvss —epss 0.03
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
- CVE-2022-39256Sep 27, 2022risk 0.00cvss —epss 0.01
Orckestra C1 CMS is a .NET based Web Content Management System. A vulnerability in versions prior to 6.13 allows remote attackers to execute arbitrary code on affected installations of Orckestra C1 CMS. Authentication is required to exploit this vulnerability. The authenticated…
- CVE-2022-36944Sep 23, 2022risk 0.00cvss —epss 0.08
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary…
- CVE-2022-41237Sep 21, 2022risk 0.00cvss —epss 0.01
Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.