VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 79 of 87
  • CVE-2021-31649Jun 24, 2021
    risk 0.00cvss epss 0.02

    In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerable to remote code execute

  • CVE-2021-30179May 31, 2021
    risk 0.00cvss epss 0.04

    Apache Dubbo prior to 2.6.9 and 2.7.9 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the…

  • CVE-2021-29505May 28, 2021
    risk 0.00cvss epss 0.78

    XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the…

  • CVE-2021-29508May 11, 2021
    risk 0.00cvss epss 0.02

    Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information about a different type for the receiving end. And by doing so allowing the…

  • CVE-2020-36326Apr 28, 2021
    risk 0.00cvss epss 0.03

    PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by…

  • CVE-2021-29476Apr 27, 2021
    risk 0.00cvss epss 0.02

    Requests is a HTTP library written in PHP. Requests mishandles deserialization in FilteredIterator. The issue has been patched and users of `Requests` 1.6.0, 1.6.1 and 1.7.0 should update to version 1.8.0.

  • CVE-2020-7385Apr 23, 2021
    risk 0.00cvss epss 0.02

    By launching the drb_remote_codeexec exploit, a Metasploit Framework user will inadvertently expose Metasploit to the same deserialization issue that is exploited by that module, due to the reliance on the vulnerable Distributed Ruby class functions. Since Metasploit Framework…

  • CVE-2021-21426Apr 21, 2021
    risk 0.00cvss epss 0.01

    Magento-lts is a long-term support alternative to Magento Community Edition (CE). In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a vulnerability caused by the unsecured deserialization of an object. A patch in versions 19.4.13 and 20.0.9 was back ported…

  • CVE-2021-21348Mar 22, 2021
    risk 0.00cvss epss 0.14

    XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the…

  • CVE-2021-21342Mar 22, 2021
    risk 0.00cvss epss 0.50

    XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new…

  • CVE-2021-21343Mar 22, 2021
    risk 0.00cvss epss 0.47

    XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new…

  • CVE-2021-21346Mar 22, 2021
    risk 0.00cvss epss 0.76

    XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is…

  • CVE-2021-21347Mar 22, 2021
    risk 0.00cvss epss 0.14

    XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is…

  • CVE-2020-36282Mar 12, 2021
    risk 0.00cvss epss 0.03

    JMS Client for RabbitMQ 1.x before 1.15.2 and 2.x before 2.2.0 is vulnerable to unsafe deserialization that can result in code execution via crafted StreamMessage data.

  • CVE-2021-21371Mar 10, 2021
    risk 0.00cvss epss 0.00

    Tenable for Jira Cloud is an open source project designed to pull Tenable.io vulnerability data, then generate Jira Tasks and sub-tasks based on the vulnerabilities' current state. It published in pypi as "tenable-jira-cloud". In tenable-jira-cloud before version 1.1.21, it is…

  • CVE-2021-25329Mar 1, 2021
    risk 0.00cvss epss 0.09

    The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note…

  • CVE-2021-23338Feb 15, 2021
    risk 0.00cvss epss 0.04

    This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function.

  • CVE-2020-17532Jan 25, 2021
    risk 0.00cvss epss 0.03

    When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5

  • CVE-2021-20190Jan 19, 2021
    risk 0.00cvss epss 0.07

    A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

  • CVE-2020-23653Jan 13, 2021
    risk 0.00cvss epss 0.04

    An insecure unserialize vulnerability was discovered in ThinkAdmin versions 4.x through 6.x in app/admin/controller/api/Update.php and app/wechat/controller/api/Push.php, which may lead to arbitrary remote code execution.