VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 85 of 87
  • CVE-2018-12680Apr 2, 2019
    risk 0.00cvss epss 0.01

    The Serialize.deserialize() method in CoAPthon 3.1, 4.0.0, 4.0.1, and 4.0.2 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, CoAP reverse proxy, example collect CoAP server and…

  • CVE-2018-12679Apr 2, 2019
    risk 0.00cvss epss 0.01

    The Serialize.deserialize() method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, example collect CoAP server and client) when they receive crafted CoAP…

  • CVE-2019-7539Mar 21, 2019
    risk 0.00cvss epss 0.02

    A code injection issue was discovered in ipycache through 2016-05-31.

  • CVE-2018-12022Mar 17, 2019
    risk 0.00cvss epss 0.07

    An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an…

  • CVE-2018-12023Mar 17, 2019
    risk 0.00cvss epss 0.09

    An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access,…

  • CVE-2019-0187Mar 6, 2019
    risk 0.00cvss epss 0.03

    Unauthenticated RCE is possible when JMeter is used in distributed mode (-r or -R command line options). Attacker can establish a RMI connection to a jmeter-server using RemoteJMeterEngine and proceed with an attack using untrusted data deserialization. This only affect tests…

  • CVE-2019-9212Feb 27, 2019
    risk 0.00cvss epss 0.03

    SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is mishandled, related to Resin Gadget. NOTE: The vendor…

  • CVE-2019-7743Feb 12, 2019
    risk 0.00cvss epss 0.03

    An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files.

  • CVE-2019-1000005Feb 4, 2019
    risk 0.00cvss epss 0.02

    mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted…

  • CVE-2019-6338Jan 22, 2019
    risk 0.00cvss epss 0.02

    In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details

  • CVE-2019-6446Jan 16, 2019
    risk 0.00cvss epss 0.17

    An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a…

  • CVE-2018-19361Jan 2, 2019
    risk 0.00cvss epss 0.11

    FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

  • CVE-2018-14718Jan 2, 2019
    risk 0.00cvss epss 0.13

    FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

  • CVE-2018-14719Jan 2, 2019
    risk 0.00cvss epss 0.10

    FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

  • CVE-2018-19360Jan 2, 2019
    risk 0.00cvss epss 0.11

    FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

  • CVE-2018-19362Jan 2, 2019
    risk 0.00cvss epss 0.11

    FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

  • CVE-2018-14720Jan 2, 2019
    risk 0.00cvss epss 0.08

    FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

  • CVE-2018-16476Nov 30, 2018
    risk 0.00cvss epss 0.03

    A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions…

  • CVE-2018-19296Nov 16, 2018
    risk 0.00cvss epss 0.02

    PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.

  • CVE-2018-8021Nov 7, 2018
    risk 0.00cvss epss 0.54

    Versions of Superset prior to 0.23 used an unsafe load method from the pickle library to deserialize data leading to possible remote code execution. Note Superset 0.23 was released prior to any Superset release under the Apache Software Foundation.