Total
1329 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-40571 | 1 Weblogic-framework Project | 1 Weblogic-framework | 2023-09-01 | 9.8 Critical |
| weblogic-framework is a tool for detecting weblogic vulnerabilities. Versions 0.2.3 and prior do not verify the returned data packets, and there is a deserialization vulnerability which may lead to remote code execution. When weblogic-framework gets the command echo, it directly deserializes the data returned by the server without verifying it. At the same time, the classloader loads a lot of deserialization calls. In this case, the malicious serialized data returned by the server will cause remote code execution. Version 0.2.4 contains a patch for this issue. | ||||
| CVE-2023-39106 | 1 Alibabacloud | 1 Nacos Spring Project | 2023-08-31 | 8.8 High |
| An issue in Nacos Group Nacos Spring Project v.1.1.1 and before allows a remote attacker to execute arbitrary code via the SnakeYamls Constructor() component. | ||||
| CVE-2023-24621 | 1 Esotericsoftware | 1 Yamlbeans | 2023-08-31 | 7.8 High |
| An issue was discovered in Esoteric YamlBeans through 1.15. It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed. | ||||
| CVE-2023-3259 | 1 Dataprobe | 44 Iboot-pdu4-c20, Iboot-pdu4-c20 Firmware, Iboot-pdu4-n20 and 41 more | 2023-08-22 | 9.8 Critical |
| The Dataprobe iBoot PDU running firmware version 1.43.03312023 or earlier is vulnerable to authentication bypass. By manipulating the IP address field in the "iBootPduSiteAuth" cookie, a malicious agent can direct the device to connect to a rouge database.Successful exploitation allows the malicious agent to take actions with administrator privileges including, but not limited to, manipulating power levels, modifying user accounts, and exporting confidential user information | ||||
| CVE-2020-10650 | 2 Fasterxml, Oracle | 3 Jackson-databind, Retail Merchandising System, Retail Sales Audit | 2023-08-18 | 8.1 High |
| A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider. | ||||
| CVE-2023-39396 | 1 Huawei | 2 Emui, Harmonyos | 2023-08-17 | 7.5 High |
| Deserialization vulnerability in the input module. Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2023-38689 | 1 Rs485 | 1 Logisticspipes | 2023-08-11 | 9.8 Critical |
| Logistics Pipes is a modification (a.k.a. mod) for the computer game Minecraft Java Edition. The mod used Java's `ObjectInputStream#readObject` on untrusted data coming from clients or servers over the network resulting in possible remote code execution when sending specifically crafted network packets after connecting. The affected versions were released between 2013 and 2016 and the issue (back then unknown) was fixed in 2016 by a refactoring of the network IO code. The issue is present in all Logistics Pipes versions ranged from 0.7.0.91 prior to 0.10.0.71, which were downloaded from different platforms summing up to multi-million downloads. For Minecraft version 1.7.10 the issue was fixed in build 0.10.0.71. Everybody on Minecraft 1.7.10 should check their version number of Logistics Pipes in their modlist and update, if the version number is smaller than 0.10.0.71. Any newer supported Minecraft version (like 1.12.2) never had a Logistics Pipes version with vulnerable code. The best available workaround for vulnerable versions is to play in singleplayer only or update to newer Minecraft versions and modpacks. | ||||
| CVE-2023-36480 | 1 Aerospike | 1 Aerospike Java Client | 2023-08-09 | 9.8 Critical |
| The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Prior to versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on. Versions 7.0.0, 6.2.0, 5.2.0, and 4.5.0 contain a patch for this issue. | ||||
| CVE-2022-30287 | 2 Debian, Horde | 2 Debian Linux, Groupware | 2023-08-08 | 8.0 High |
| Horde Groupware Webmail Edition through 5.2.22 allows a reflection injection attack through which an attacker can instantiate a driver class. This then leads to arbitrary deserialization of PHP objects. | ||||
| CVE-2021-35095 | 1 Qualcomm | 20 Ar8035, Ar8035 Firmware, Qca8081 and 17 more | 2023-08-08 | 7.0 High |
| Improper serialization of message queue client registration can lead to race condition allowing multiple gunyah message clients to register with same label in Snapdragon Connectivity, Snapdragon Mobile | ||||
| CVE-2022-33900 | 1 Sandhillsdev | 1 Easy Digital Downloads | 2023-08-08 | 7.2 High |
| PHP Object Injection vulnerability in Easy Digital Downloads plugin <= 3.0.1 at WordPress. | ||||
| CVE-2022-35405 | 1 Zohocorp | 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro | 2023-08-08 | 9.8 Critical |
| Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.) | ||||
| CVE-2022-22958 | 2 Linux, Vmware | 6 Linux Kernel, Cloud Foundation, Identity Manager and 3 more | 2023-08-08 | 7.2 High |
| VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution. | ||||
| CVE-2022-40609 | 1 Ibm | 1 Sdk | 2023-08-07 | 9.8 Critical |
| IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236069. | ||||
| CVE-2023-24971 | 1 Ibm | 2 B2b Advanced Communications, Multi-enterprise Integration Gateway | 2023-08-04 | 6.5 Medium |
| IBM B2B Advanced Communications 1.0.0.0 and IBM Multi-Enterprise Integration Gateway 1.0.0.1 could allow a user to cause a denial of service due to the deserializing of untrusted serialized Java objects. IBM X-Force ID: 246976. | ||||
| CVE-2021-31680 | 1 Ultralytics | 1 Yolov5 | 2023-08-04 | 7.8 High |
| Deserialization of Untrusted Data vulnerability in yolo 5 allows attackers to execute arbitrary code via crafted yaml file. | ||||
| CVE-2021-31681 | 1 Ultralytics | 1 Yolov3 | 2023-08-04 | 7.8 High |
| Deserialization of Untrusted Data vulnerability in yolo 3 allows attackers to execute arbitrary code via crafted yaml file. | ||||
| CVE-2023-23836 | 1 Solarwinds | 1 Orion Platform | 2023-08-03 | 7.2 High |
| SolarWinds Platform version 2022.4.1 was found to be susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to the SolarWinds Web Console to execute arbitrary commands. | ||||
| CVE-2022-47507 | 1 Solarwinds | 1 Orion Platform | 2023-08-03 | 7.2 High |
| SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | ||||
| CVE-2022-47504 | 1 Solarwinds | 1 Orion Platform | 2023-08-03 | 7.2 High |
| SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. | ||||