CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 80 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-21604 | 0.00 | — | 0.02 | Jan 13, 2021 | Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator. | |||
| CVE-2020-11995 | — | 0.00 | — | 0.06 | Jan 11, 2021 | A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in… | ||
| CVE-2020-36179 | — | 0.00 | — | 0.21 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. | ||
| CVE-2020-36180 | — | 0.00 | — | 0.05 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. | ||
| CVE-2020-36182 | — | 0.00 | — | 0.05 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. | ||
| CVE-2020-36184 | — | 0.00 | — | 0.10 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. | ||
| CVE-2020-36185 | — | 0.00 | — | 0.05 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. | ||
| CVE-2020-36186 | — | 0.00 | — | 0.05 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. | ||
| CVE-2020-36187 | — | 0.00 | — | 0.05 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. | ||
| CVE-2020-36188 | — | 0.00 | — | 0.11 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. | ||
| CVE-2020-36189 | — | 0.00 | — | 0.05 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. | ||
| CVE-2020-36181 | — | 0.00 | — | 0.05 | Jan 6, 2021 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. | ||
| CVE-2019-7725 | — | 0.00 | — | 0.03 | Dec 31, 2020 | includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk). | ||
| CVE-2020-35490 | — | 0.00 | — | 0.08 | Dec 17, 2020 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. | ||
| CVE-2020-35491 | — | 0.00 | — | 0.09 | Dec 17, 2020 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. | ||
| CVE-2020-22083 | — | 0.00 | — | 0.06 | Dec 17, 2020 | jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution,… | ||
| CVE-2020-20136 | — | 0.00 | — | 0.02 | Dec 14, 2020 | QuantConnect Lean versions from 2.3.0.0 to 2.4.0.1 are affected by an insecure deserialization vulnerability due to insecure configuration of TypeNameHandling property in Json.NET library. | ||
| CVE-2020-28948 | — | 0.00 | — | 0.47 | Nov 19, 2020 | Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked. | ||
| CVE-2020-10721 | 0.00 | — | 0.01 | Oct 22, 2020 | A flaw was found in the fabric8-maven-plugin 4.0.0 and later. When using a wildfly-swarm or thorntail custom configuration, a malicious YAML configuration file on the local machine executing the maven plug-in could allow for deserialization of untrusted data resulting in… | |||
| CVE-2020-15244 | 0.00 | — | 0.01 | Oct 21, 2020 | In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4. |
- CVE-2021-21604Jan 13, 2021risk 0.00cvss —epss 0.02
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.
- CVE-2020-11995Jan 11, 2021risk 0.00cvss —epss 0.06
A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in…
- CVE-2020-36179Jan 6, 2021risk 0.00cvss —epss 0.21
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
- CVE-2020-36180Jan 6, 2021risk 0.00cvss —epss 0.05
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
- CVE-2020-36182Jan 6, 2021risk 0.00cvss —epss 0.05
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
- CVE-2020-36184Jan 6, 2021risk 0.00cvss —epss 0.10
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
- CVE-2020-36185Jan 6, 2021risk 0.00cvss —epss 0.05
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
- CVE-2020-36186Jan 6, 2021risk 0.00cvss —epss 0.05
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
- CVE-2020-36187Jan 6, 2021risk 0.00cvss —epss 0.05
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
- CVE-2020-36188Jan 6, 2021risk 0.00cvss —epss 0.11
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
- CVE-2020-36189Jan 6, 2021risk 0.00cvss —epss 0.05
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
- CVE-2020-36181Jan 6, 2021risk 0.00cvss —epss 0.05
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
- CVE-2019-7725Dec 31, 2020risk 0.00cvss —epss 0.03
includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).
- CVE-2020-35490Dec 17, 2020risk 0.00cvss —epss 0.08
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
- CVE-2020-35491Dec 17, 2020risk 0.00cvss —epss 0.09
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
- CVE-2020-22083Dec 17, 2020risk 0.00cvss —epss 0.06
jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function. Note: It has been argued that this is expected and clearly documented behaviour. pickle is known to be capable of causing arbitrary code execution,…
- CVE-2020-20136Dec 14, 2020risk 0.00cvss —epss 0.02
QuantConnect Lean versions from 2.3.0.0 to 2.4.0.1 are affected by an insecure deserialization vulnerability due to insecure configuration of TypeNameHandling property in Json.NET library.
- CVE-2020-28948Nov 19, 2020risk 0.00cvss —epss 0.47
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
- CVE-2020-10721Oct 22, 2020risk 0.00cvss —epss 0.01
A flaw was found in the fabric8-maven-plugin 4.0.0 and later. When using a wildfly-swarm or thorntail custom configuration, a malicious YAML configuration file on the local machine executing the maven plug-in could allow for deserialization of untrusted data resulting in…
- CVE-2020-15244Oct 21, 2020risk 0.00cvss —epss 0.01
In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.