Total
1329 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-3001 | 1 Schneider-electric | 1 Igss Dashboard | 2023-06-21 | 7.8 High |
| A CWE-502: Deserialization of Untrusted Data vulnerability exists in the Dashboard module that could cause an interpretation of malicious payload data, potentially leading to remote code execution when an attacker gets the user to open a malicious file. | ||||
| CVE-2023-34212 | 1 Apache | 1 Nifi | 2023-06-21 | 6.5 Medium |
| The JndiJmsConnectionFactoryProvider Controller Service, along with the ConsumeJMS and PublishJMS Processors, in Apache NiFi 1.8.0 through 1.21.0 allow an authenticated and authorized user to configure URL and library properties that enable deserialization of untrusted data from a remote location. The resolution validates the JNDI URL and restricts locations to a set of allowed schemes. You are recommended to upgrade to version 1.22.0 or later which fixes this issue. | ||||
| CVE-2022-48282 | 1 Mongodb | 1 C\# Driver | 2023-06-21 | 7.2 High |
| Under very specific circumstances (see Required configuration section below), a privileged user is able to cause arbitrary code to be executed which may cause further disruption to services. This is specific to applications written in C#. This affects all MongoDB .NET/C# Driver versions prior to and including v2.18.0 Following configuration must be true for the vulnerability to be applicable: * Application must written in C# taking arbitrary data from users and serializing data using _t without any validation AND * Application must be running on a Windows host using the full .NET Framework, not .NET Core AND * Application must have domain model class with a property/field explicitly of type System.Object or a collection of type System.Object (against MongoDB best practice) AND * Malicious attacker must have unrestricted insert access to target database to add a _t discriminator."Following configuration must be true for the vulnerability to be applicable | ||||
| CVE-2019-2391 | 1 Mongodb | 1 Js-bson | 2023-06-19 | 5.4 Medium |
| Incorrect parsing of certain JSON input may result in js-bson not correctly serializing BSON. This may cause unexpected application behaviour including data disclosure. This issue affects: MongoDB Inc. js-bson library version 1.1.3 and prior to. | ||||
| CVE-2023-30262 | 1 Mimsoftware | 2 Mim Concurrent License Server, Mim Local Concurrent License Server | 2023-06-16 | 8.8 High |
| An issue found in MIM software Inc MIM License Server and MIMpacs services v.6.9 thru v.7.0 fixed in v.7.0.10 allows a remote unauthenticated attacker to execute arbitrary code via the RMI Registry service. | ||||
| CVE-2023-33496 | 1 Xxl-rpc Project | 1 Xxl-rpc | 2023-06-15 | 9.8 Critical |
| xxl-rpc v1.7.0 was discovered to contain a deserialization vulnerability via the component com.xxl.rpc.core.remoting.net.impl.netty.codec.NettyDecode#decode. | ||||
| CVE-2023-33284 | 1 Marvalglobal | 1 Msm | 2023-06-14 | 8.8 High |
| Marval MSM through 14.19.0.12476 and 15.0 has a Remote Code Execution vulnerability. A remote attacker authenticated as any user is able to execute code in context of the web server. | ||||
| CVE-2023-20888 | 1 Vmware | 1 Vrealize Network Insight | 2023-06-14 | 8.8 High |
| Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution. | ||||
| CVE-2023-33963 | 1 Dataease | 1 Dataease | 2023-06-08 | 9.8 Critical |
| DataEase is an open source data visualization and analysis tool. Prior to version 1.18.7, a deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading. | ||||
| CVE-2017-17485 | 4 Debian, Fasterxml, Netapp and 1 more | 9 Debian Linux, Jackson-databind, E-series Santricity Os Controller and 6 more | 2023-06-08 | 9.8 Critical |
| FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. | ||||
| CVE-2021-21741 | 1 Zte | 2 Zxv10 M910, Zxv10 M910 Firmware | 2023-06-05 | 9.8 Critical |
| There is a command execution vulnerability in a ZTE conference management system. As some services are enabled by default, the attacker could exploit this vulnerability to execute arbitrary commands by sending specific serialization command. | ||||
| CVE-2023-20878 | 1 Vmware | 2 Cloud Foundation, Vrealize Operations | 2023-06-02 | 7.2 High |
| VMware Aria Operations contains a deserialization vulnerability. A malicious actor with administrative privileges can execute arbitrary commands and disrupt the system. | ||||
| CVE-2022-4815 | 1 Hitachi | 2 Vantara Pentaho, Vantara Pentaho Business Analytics Server | 2023-06-01 | 8.8 High |
| Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods. | ||||
| CVE-2023-27068 | 1 Sitecore | 1 Experience Platform | 2023-05-30 | 9.8 Critical |
| Deserialization of Untrusted Data in Sitecore Experience Platform through 10.2 allows remote attackers to run arbitrary code via ValidationResult.aspx. | ||||
| CVE-2023-31058 | 1 Apache | 1 Inlong | 2023-05-27 | 7.5 High |
| Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers would bypass the 'autoDeserialize' option filtering by adding blanks. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7674 https://github.com/apache/inlong/pull/7674 to solve it. | ||||
| CVE-2023-32336 | 3 Ibm, Linux, Microsoft | 4 Aix, Infosphere Information Server, Linux Kernel and 1 more | 2023-05-26 | 9.8 Critical |
| IBM InfoSphere Information Server 11.7 is affected by a remote code execution vulnerability due to insecure deserialization in an RMI service. IBM X-Force ID: 255285. | ||||
| CVE-2023-31890 | 1 Glazedlists | 1 Glazed Lists | 2023-05-25 | 9.8 Critical |
| An XML Deserialization vulnerability in glazedlists v1.11.0 allows an attacker to execute arbitrary code via the BeanXMLByteCoder.decode() parameter. | ||||
| CVE-2023-30898 | 1 Siemens | 1 Siveillance Video | 2023-05-17 | 8.8 High |
| A vulnerability has been identified in Siveillance Video 2020 R2 (All versions < V20.2 HotfixRev14), Siveillance Video 2020 R3 (All versions < V20.3 HotfixRev12), Siveillance Video 2021 R1 (All versions < V21.1 HotfixRev12), Siveillance Video 2021 R2 (All versions < V21.2 HotfixRev8), Siveillance Video 2022 R1 (All versions < V22.1 HotfixRev7), Siveillance Video 2022 R2 (All versions < V22.2 HotfixRev5), Siveillance Video 2022 R3 (All versions < V22.3 HotfixRev2), Siveillance Video 2023 R1 (All versions < V23.1 HotfixRev1). The Event Server component of affected applications deserializes data without sufficient validations. This could allow an authenticated remote attacker to execute code on the affected system. | ||||
| CVE-2023-30899 | 1 Siemens | 1 Siveillance Video | 2023-05-17 | 8.8 High |
| A vulnerability has been identified in Siveillance Video 2020 R2 (All versions < V20.2 HotfixRev14), Siveillance Video 2020 R3 (All versions < V20.3 HotfixRev12), Siveillance Video 2021 R1 (All versions < V21.1 HotfixRev12), Siveillance Video 2021 R2 (All versions < V21.2 HotfixRev8), Siveillance Video 2022 R1 (All versions < V22.1 HotfixRev7), Siveillance Video 2022 R2 (All versions < V22.2 HotfixRev5), Siveillance Video 2022 R3 (All versions < V22.3 HotfixRev2), Siveillance Video 2023 R1 (All versions < V23.1 HotfixRev1). The Management Server component of affected applications deserializes data without sufficient validations. This could allow an authenticated remote attacker to execute code on the affected system. | ||||
| CVE-2020-15777 | 1 Gradle | 1 Maven | 2023-05-16 | 7.8 High |
| An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. The extension uses a socket connection to send serialized Java objects. Deserialization is not restricted to an allow-list, thus allowing an attacker to achieve code execution via a malicious deserialization gadget chain. The socket is not bound exclusively to localhost. The port this socket is assigned to is randomly selected and is not intentionally exposed to the public (either by design or documentation). This could potentially be used to achieve remote code execution and local privilege escalation. | ||||