VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 78 of 87
  • CVE-2021-24040Sep 10, 2021
    risk 0.00cvss epss 0.17

    Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.

  • CVE-2021-37579Sep 9, 2021
    risk 0.00cvss epss 0.07

    The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check (when enabled) and reaching a deserialization…

  • CVE-2021-36163Sep 7, 2021
    risk 0.00cvss epss 0.03

    In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and…

  • CVE-2021-21677Aug 31, 2021
    risk 0.00cvss epss 0.02

    Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability.

  • CVE-2021-39132Aug 30, 2021
    risk 0.00cvss epss 0.01

    Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, an authorized user can upload a zip-format plugin with a crafted plugin.yaml, or a crafted aclpolicy yaml file, or upload an untrusted…

  • CVE-2021-39150Aug 23, 2021
    risk 0.00cvss epss 0.03

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime…

  • CVE-2021-39140Aug 23, 2021
    risk 0.00cvss epss 0.06

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of…

  • CVE-2021-39149Aug 23, 2021
    risk 0.00cvss epss 0.05

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…

  • CVE-2021-39148Aug 23, 2021
    risk 0.00cvss epss 0.05

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…

  • CVE-2021-39147Aug 23, 2021
    risk 0.00cvss epss 0.05

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…

  • CVE-2021-39145Aug 23, 2021
    risk 0.00cvss epss 0.04

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…

  • CVE-2021-39153Aug 23, 2021
    risk 0.00cvss epss 0.04

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box…

  • CVE-2021-39151Aug 23, 2021
    risk 0.00cvss epss 0.05

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…

  • CVE-2021-39139Aug 23, 2021
    risk 0.00cvss epss 0.04

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the…

  • CVE-2021-39154Aug 23, 2021
    risk 0.00cvss epss 0.05

    XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed…

  • CVE-2021-37678Aug 12, 2021
    risk 0.00cvss epss 0.00

    TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The [implementation](https://github.com/tensorflow/tensorflow/blo…

  • CVE-2021-23420Aug 11, 2021
    risk 0.00cvss epss 0.03

    This affects the package codeception/codeception from 4.0.0 and before 4.1.22, before 3.1.3. The RunProcess class can be leveraged as a gadget to run arbitrary commands on a system that is deserializing user input without validation.

  • CVE-2021-37578Jul 29, 2021
    risk 0.00cvss epss 0.04

    Apache jUDDI uses several classes related to Java's Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services. RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote…

  • CVE-2021-32742Jul 9, 2021
    risk 0.00cvss epss 0.01

    Vapor is a web framework for Swift. In versions 4.47.1 and prior, bug in the `Data.init(base32Encoded:)` function opens up the potential for exposing server memory and/or crashing the server (Denial of Service) for applications where untrusted data can end up in said function.…

  • CVE-2021-29485Jun 29, 2021
    risk 0.00cvss epss 0.02

    Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, a malicious attacker can achieve Remote Code Execution (RCE) via a maliciously crafted Java deserialization gadget chain leveraged against the Ratpack session store. If one's application does not use…