CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 83 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-10673 | — | 0.00 | — | 0.08 | Mar 18, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). | ||
| CVE-2020-2158 | 0.00 | — | 0.03 | Mar 9, 2020 | Jenkins Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||
| CVE-2019-14893 | — | 0.00 | — | 0.04 | Mar 2, 2020 | A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as… | ||
| CVE-2019-14892 | — | 0.00 | — | 0.05 | Mar 2, 2020 | A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. | ||
| CVE-2020-9547 | — | 0.00 | — | 0.19 | Mar 2, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). | ||
| CVE-2020-9548 | — | 0.00 | — | 0.18 | Mar 2, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). | ||
| CVE-2019-20477 | — | 0.00 | — | 0.05 | Feb 19, 2020 | PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342. | ||
| CVE-2020-2123 | 0.00 | — | 0.02 | Feb 12, 2020 | Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||
| CVE-2020-2121 | 0.00 | — | 0.03 | Feb 12, 2020 | Jenkins Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | |||
| CVE-2020-8840 | — | 0.00 | — | 0.27 | Feb 10, 2020 | FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. | ||
| CVE-2019-20330 | — | 0.00 | — | 0.09 | Jan 3, 2020 | FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. | ||
| CVE-2016-1000027 | — | 0.00 | — | 0.32 | Jan 2, 2020 | Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.… | ||
| CVE-2019-19849 | — | 0.00 | — | 0.01 | Dec 17, 2019 | An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel… | ||
| CVE-2019-17556 | 0.00 | — | 0.04 | Dec 4, 2019 | Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse… | |||
| CVE-2019-8141 | 0.00 | — | 0.02 | Nov 5, 2019 | A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization… | |||
| CVE-2019-13116 | — | 0.00 | — | 0.05 | Oct 16, 2019 | The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections | ||
| CVE-2019-17531 | — | 0.00 | — | 0.05 | Oct 12, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the… | ||
| CVE-2019-17267 | — | 0.00 | — | 0.05 | Oct 6, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup. | ||
| CVE-2019-17206 | — | 0.00 | — | 0.03 | Oct 5, 2019 | Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts. | ||
| CVE-2019-16943 | — | 0.00 | — | 0.05 | Oct 1, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an… |
- CVE-2020-10673Mar 18, 2020risk 0.00cvss —epss 0.08
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
- CVE-2020-2158Mar 9, 2020risk 0.00cvss —epss 0.03
Jenkins Literate Plugin 1.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
- CVE-2019-14893Mar 2, 2020risk 0.00cvss —epss 0.04
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as…
- CVE-2019-14892Mar 2, 2020risk 0.00cvss —epss 0.05
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
- CVE-2020-9547Mar 2, 2020risk 0.00cvss —epss 0.19
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
- CVE-2020-9548Mar 2, 2020risk 0.00cvss —epss 0.18
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
- CVE-2019-20477Feb 19, 2020risk 0.00cvss —epss 0.05
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
- CVE-2020-2123Feb 12, 2020risk 0.00cvss —epss 0.02
Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
- CVE-2020-2121Feb 12, 2020risk 0.00cvss —epss 0.03
Jenkins Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
- CVE-2020-8840Feb 10, 2020risk 0.00cvss —epss 0.27
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
- CVE-2019-20330Jan 3, 2020risk 0.00cvss —epss 0.09
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
- CVE-2016-1000027Jan 2, 2020risk 0.00cvss —epss 0.32
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.…
- CVE-2019-19849Dec 17, 2019risk 0.00cvss —epss 0.01
An issue was discovered in TYPO3 before 8.7.30, 9.x before 9.5.12, and 10.x before 10.2.2. It has been discovered that the classes QueryGenerator and QueryView are vulnerable to insecure deserialization. One exploitable scenario requires having the system extension ext:lowlevel…
- CVE-2019-17556Dec 4, 2019risk 0.00cvss —epss 0.04
Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService class, which is public API, uses ObjectInputStream and doesn't check classes being deserialized. If an attacker can feed malicious metadata to the class, then it may result in running attacker's code in the worse…
- CVE-2019-8141Nov 5, 2019risk 0.00cvss —epss 0.02
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization…
- CVE-2019-13116Oct 16, 2019risk 0.00cvss —epss 0.05
The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections
- CVE-2019-17531Oct 12, 2019risk 0.00cvss —epss 0.05
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the…
- CVE-2019-17267Oct 6, 2019risk 0.00cvss —epss 0.05
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
- CVE-2019-17206Oct 5, 2019risk 0.00cvss —epss 0.03
Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts.
- CVE-2019-16943Oct 1, 2019risk 0.00cvss —epss 0.05
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an…