VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 77 of 87
  • CVE-2021-46364Feb 11, 2022
    risk 0.00cvss epss 0.01

    A vulnerability in the Snake YAML parser of Magnolia CMS v6.2.3 and below allows attackers to execute arbitrary code via a crafted YAML file.

  • CVE-2022-24289Feb 11, 2022
    risk 0.00cvss epss 0.02

    Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functionality to 'remote' applications. In Apache…

  • CVE-2022-0538Feb 9, 2022
    risk 0.00cvss epss 0.04

    Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage.

  • CVE-2021-43859Feb 1, 2022
    risk 0.00cvss epss 0.08

    XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service…

  • CVE-2021-41766Jan 26, 2022
    risk 0.00cvss epss 0.02

    Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX). JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened…

  • CVE-2022-21647Jan 4, 2022
    risk 0.00cvss epss 0.38

    CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the…

  • CVE-2021-45687Dec 26, 2021
    risk 0.00cvss epss 0.01

    An issue was discovered in the raw-cpuid crate before 9.1.1 for Rust. If the serialize feature is used (which is not the the default), a Deserialize operation may lack sufficient validation, leading to memory corruption or a panic.

  • CVE-2021-4118Dec 23, 2021
    risk 0.00cvss epss 0.01

    pytorch-lightning is vulnerable to Deserialization of Untrusted Data

  • CVE-2021-43853Dec 22, 2021
    risk 0.00cvss epss 0.01

    Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to…

  • CVE-2021-42550Dec 16, 2021
    risk 0.00cvss epss 0.04

    In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

  • CVE-2021-36567Dec 6, 2021
    risk 0.00cvss epss 0.02

    ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\AbstractCache.

  • CVE-2021-36564Dec 6, 2021
    risk 0.00cvss epss 0.02

    ThinkPHP v6.0.8 was discovered to contain a deserialization vulnerability via the component vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php.

  • CVE-2021-22095Nov 30, 2021
    risk 0.00cvss epss 0.01

    In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large message

  • CVE-2021-22097Oct 28, 2021
    risk 0.00cvss epss 0.01

    In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object…

  • CVE-2021-41078Oct 26, 2021
    risk 0.00cvss epss 0.01

    Nameko through 2.13.0 can be tricked into performing arbitrary code execution when deserializing the config file.

  • CVE-2021-25738Oct 11, 2021
    risk 0.00cvss epss 0.00

    Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

  • CVE-2021-41129Oct 6, 2021
    risk 0.00cvss epss 0.02

    Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In…

  • CVE-2021-41616Sep 30, 2021
    risk 0.00cvss epss 0.03

    Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for use when migrating database data with a SQL data type of BINARY, VARBINARY, LONGVARBINARY, or BLOB between databases using the ddlutils features. The BinaryObjectsHelper class was insecure and used…

  • CVE-2021-31819Sep 22, 2021
    risk 0.00cvss epss 0.02

    In Halibut versions prior to 4.4.7 there is a deserialisation vulnerability that could allow remote code execution on systems that already trust each other based on certificate verification.

  • CVE-2021-39207Sep 10, 2021
    risk 0.00cvss epss 0.02

    parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is…