CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 81 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-26945 | — | 0.00 | — | 0.02 | Oct 10, 2020 | MyBatis before 3.5.6 mishandles deserialization of object streams. | ||
| CVE-2020-24750 | — | 0.00 | — | 0.07 | Sep 17, 2020 | FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. | ||
| CVE-2020-15148 | 0.00 | — | 0.79 | Sep 15, 2020 | Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory. | |||
| CVE-2020-24164 | — | 0.00 | — | 0.01 | Sep 11, 2020 | A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java… | ||
| CVE-2020-15777 | — | 0.00 | — | 0.01 | Aug 25, 2020 | An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. The extension uses a socket connection to send serialized Java objects. Deserialization is not restricted to an allow-list, thus allowing an attacker to achieve code execution via a malicious… | ||
| CVE-2020-24616 | — | 0.00 | — | 0.09 | Aug 25, 2020 | FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). | ||
| CVE-2020-5413 | — | 0.00 | — | 0.04 | Jul 31, 2020 | Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data… | ||
| CVE-2020-15086 | — | 0.00 | — | 0.03 | Jul 29, 2020 | In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message… | ||
| CVE-2020-15098 | 0.00 | — | 0.02 | Jul 29, 2020 | In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a… | |||
| CVE-2020-15842 | — | 0.00 | — | 0.02 | Jul 20, 2020 | Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization. | ||
| CVE-2020-14000 | — | 0.00 | — | 0.03 | Jul 16, 2020 | MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain _ characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker.… | ||
| CVE-2020-2211 | 0.00 | — | 0.02 | Jul 2, 2020 | Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||
| CVE-2013-7489 | — | 0.00 | — | 0.01 | Jun 26, 2020 | The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution. | ||
| CVE-2020-10740 | — | 0.00 | — | 0.02 | Jun 22, 2020 | A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly. | ||
| CVE-2020-14942 | — | 0.00 | — | 0.01 | Jun 21, 2020 | Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\views\staff.py. | ||
| CVE-2020-14195 | — | 0.00 | — | 0.05 | Jun 16, 2020 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). | ||
| CVE-2020-14061 | — | 0.00 | — | 0.04 | Jun 14, 2020 | FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory,… | ||
| CVE-2020-5411 | — | 0.00 | — | 0.02 | Jun 11, 2020 | When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing… | ||
| CVE-2020-4043 | 0.00 | — | 0.03 | Jun 10, 2020 | phpMussel from versions 1.0.0 and less than 1.6.0 has an unserialization vulnerability in PHP's phar wrapper. Uploading a specially crafted file to an affected version allows arbitrary code execution (discovered, tested, and confirmed by myself), so the risk factor should be… | |||
| CVE-2020-7660 | — | 0.00 | — | 0.03 | Jun 1, 2020 | serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js". |
- CVE-2020-26945Oct 10, 2020risk 0.00cvss —epss 0.02
MyBatis before 3.5.6 mishandles deserialization of object streams.
- CVE-2020-24750Sep 17, 2020risk 0.00cvss —epss 0.07
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
- CVE-2020-15148Sep 15, 2020risk 0.00cvss —epss 0.79
Yii 2 (yiisoft/yii2) before version 2.0.38 is vulnerable to remote code execution if the application calls `unserialize()` on arbitrary user input. This is fixed in version 2.0.38. A possible workaround without upgrading is available in the linked advisory.
- CVE-2020-24164Sep 11, 2020risk 0.00cvss —epss 0.01
A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java…
- CVE-2020-15777Aug 25, 2020risk 0.00cvss —epss 0.01
An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. The extension uses a socket connection to send serialized Java objects. Deserialization is not restricted to an allow-list, thus allowing an attacker to achieve code execution via a malicious…
- CVE-2020-24616Aug 25, 2020risk 0.00cvss —epss 0.09
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
- CVE-2020-5413Jul 31, 2020risk 0.00cvss —epss 0.04
Spring Integration framework provides Kryo Codec implementations as an alternative for Java (de)serialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data…
- CVE-2020-15086Jul 29, 2020risk 0.00cvss —epss 0.03
In TYPO3 installations with the "mediace" extension from version 7.6.2 and before version 7.6.5, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. The allows to inject arbitrary data having a valid cryptographic message…
- CVE-2020-15098Jul 29, 2020risk 0.00cvss —epss 0.02
In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and greater than or equal to 10.0.0 and less than 10.4.6, it has been discovered that an internal verification mechanism can be used to generate arbitrary checksums. This allows to inject arbitrary data having a…
- CVE-2020-15842Jul 20, 2020risk 0.00cvss —epss 0.02
Liferay Portal before 7.3.0, and Liferay DXP 7.0 before fix pack 90, 7.1 before fix pack 17, and 7.2 before fix pack 5, allows man-in-the-middle attackers to execute arbitrary code via crafted serialized payloads, because of insecure deserialization.
- CVE-2020-14000Jul 16, 2020risk 0.00cvss —epss 0.03
MIT Lifelong Kindergarten Scratch scratch-vm before 0.2.0-prerelease.20200714185213 loads extension URLs from untrusted project.json files with certain _ characters, resulting in remote code execution because the URL's content is treated as a script and is executed as a worker.…
- CVE-2020-2211Jul 2, 2020risk 0.00cvss —epss 0.02
Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
- CVE-2013-7489Jun 26, 2020risk 0.00cvss —epss 0.01
The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.
- CVE-2020-10740Jun 22, 2020risk 0.00cvss —epss 0.02
A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.
- CVE-2020-14942Jun 21, 2020risk 0.00cvss —epss 0.01
Tendenci 12.0.10 allows unrestricted deserialization in apps\helpdesk\views\staff.py.
- CVE-2020-14195Jun 16, 2020risk 0.00cvss —epss 0.05
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
- CVE-2020-14061Jun 14, 2020risk 0.00cvss —epss 0.04
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory,…
- CVE-2020-5411Jun 11, 2020risk 0.00cvss —epss 0.02
When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets". Spring Batch configures Jackson with global default typing…
- CVE-2020-4043Jun 10, 2020risk 0.00cvss —epss 0.03
phpMussel from versions 1.0.0 and less than 1.6.0 has an unserialization vulnerability in PHP's phar wrapper. Uploading a specially crafted file to an affected version allows arbitrary code execution (discovered, tested, and confirmed by myself), so the risk factor should be…
- CVE-2020-7660Jun 1, 2020risk 0.00cvss —epss 0.03
serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".