VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 82 of 87
  • CVE-2018-21234May 21, 2020
    risk 0.00cvss epss 0.08

    Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when setClassMetadataName is set.

  • CVE-2020-9484May 20, 2020
    risk 0.00cvss epss 0.57

    When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore;…

  • CVE-2020-13092May 15, 2020
    risk 0.00cvss epss 0.03

    scikit-learn (aka sklearn) through 0.23.0 can unserialize and execute commands from an untrusted file that is passed to the joblib.load() function, if __reduce__ makes an os.system call. NOTE: third parties dispute this issue because the joblib.load() function is documented as…

  • CVE-2020-11067May 13, 2020
    risk 0.00cvss epss 0.02

    In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has been discovered that backend user settings (in $BE_USER->uc) are vulnerable to insecure deserialization. In combination with vulnerabilities of third party components, this can lead to remote code execution. A…

  • CVE-2020-12760May 11, 2020
    risk 0.00cvss epss 0.03

    An issue was discovered in OpenNMS Horizon before 26.0.1, and Meridian before 2018.1.19 and 2019 before 2019.1.7. The ActiveMQ channel configuration allowed for arbitrary deserialization of Java objects (aka ActiveMQ Minion payload deserialization), leading to remote code…

  • CVE-2020-2189May 6, 2020
    risk 0.00cvss epss 0.02

    Jenkins SCM Filter Jervis Plugin 0.2.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-12469Apr 29, 2020
    risk 0.00cvss epss 0.01

    admin/blocks.php in Subrion CMS through 4.2.1 allows PHP Object Injection (with resultant file deletion) via serialized data in the subpages value within a block to blocks/edit.

  • CVE-2020-2180Apr 16, 2020
    risk 0.00cvss epss 0.02

    Jenkins AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2179Apr 16, 2020
    risk 0.00cvss epss 0.03

    Jenkins Yaml Axis Plugin 0.2.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-11620Apr 7, 2020
    risk 0.00cvss epss 0.06

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

  • CVE-2019-17564Apr 1, 2020
    risk 0.00cvss epss 0.36

    Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo…

  • CVE-2019-2391Mar 31, 2020
    risk 0.00cvss epss 0.01

    Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to.

  • CVE-2020-11111Mar 31, 2020
    risk 0.00cvss epss 0.03

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

  • CVE-2020-7610Mar 30, 2020
    risk 0.00cvss epss 0.02

    All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsotype, leading to cases where an object is serialized as a document rather than the intended BSON type.

  • CVE-2020-10968Mar 26, 2020
    risk 0.00cvss epss 0.04

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

  • CVE-2020-10969Mar 26, 2020
    risk 0.00cvss epss 0.03

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

  • CVE-2020-2168Mar 25, 2020
    risk 0.00cvss epss 0.02

    Jenkins Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2167Mar 25, 2020
    risk 0.00cvss epss 0.02

    Jenkins OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-2166Mar 25, 2020
    risk 0.00cvss epss 0.02

    Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2020-10672Mar 18, 2020
    risk 0.00cvss epss 0.03

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).