Total
1329 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-16891 | 1 Liferay | 1 Liferay Portal | 2023-02-24 | 9.8 Critical |
| Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload. | ||||
| CVE-2022-25845 | 2 Alibaba, Oracle | 2 Fastjson, Communications Cloud Native Core Unified Data Repository | 2023-02-23 | 9.8 Critical |
| The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode). | ||||
| CVE-2021-36981 | 1 Sernet | 1 Verinice | 2023-02-23 | 8.8 High |
| In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code. | ||||
| CVE-2023-25558 | 1 Datahub Project | 1 Datahub | 2023-02-21 | 8.8 High |
| DataHub is an open-source metadata platform. When the DataHub frontend is configured to authenticate via SSO, it will leverage the pac4j library. The processing of the `id_token` is done in an unsafe manner which is not properly accounted for by the DataHub frontend. Specifically, if any of the id_token claims value start with the {#sb64} prefix, pac4j considers the value to be a serialized Java object and will deserialize it. This issue may lead to Remote Code Execution (RCE) in the worst case. Although a `RestrictedObjectInputStream` is in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. Users are advised to upgrade. There are no known workarounds. This vulnerability was discovered and reported by the GitHub Security lab and is tracked as GHSL-2022-086. | ||||
| CVE-2022-45982 | 1 Thinkphp | 1 Thinkphp | 2023-02-16 | 9.8 Critical |
| thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload. | ||||
| CVE-2023-25135 | 1 Vbulletin | 1 Vbulletin | 2023-02-13 | 9.8 Critical |
| vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verify_serialized checks that a value is serialized by calling unserialize and then checking for errors. The fixed versions are 5.6.7 PL1, 5.6.8 PL1, and 5.6.9 PL1. | ||||
| CVE-2019-10202 | 1 Redhat | 2 Enterprise Linux, Jboss Enterprise Application Platform | 2023-02-12 | 9.8 Critical |
| A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike. | ||||
| CVE-2016-8653 | 1 Redhat | 2 Jboss A-mq, Jboss Fuse | 2023-02-12 | N/A |
| It was found that the JMX endpoint of Red Hat JBoss Fuse 6, and Red Hat A-MQ 6 deserializes the credentials passed to it. An attacker could use this flaw to launch a denial of service attack. | ||||
| CVE-2016-8648 | 1 Redhat | 2 Jboss A-mq, Jboss Fuse | 2023-02-12 | N/A |
| It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath. | ||||
| CVE-2016-4978 | 2 Apache, Redhat | 3 Activemq Artemis, Enterprise Linux Server, Jboss Enterprise Application Platform | 2023-02-12 | 7.2 High |
| The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath. | ||||
| CVE-2021-25642 | 1 Apache | 1 Hadoop | 2023-02-10 | 8.8 High |
| ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used. | ||||
| CVE-2023-24162 | 1 Hutool | 1 Hutool | 2023-02-07 | 9.8 Critical |
| Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter. | ||||
| CVE-2019-4279 | 1 Ibm | 1 Websphere Application Server | 2023-02-03 | 9.8 Critical |
| IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 160445. | ||||
| CVE-2018-3972 | 1 Getmonero | 1 Monero | 2023-02-02 | 9.8 Critical |
| An exploitable code execution vulnerability exists in the Levin deserialization functionality of the Epee library, as used in Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700) and other cryptocurrencies. A specially crafted network packet can cause a logic flaw, resulting in code execution. An attacker can send a packet to trigger this vulnerability. | ||||
| CVE-2022-31710 | 1 Vmware | 1 Vrealize Log Insight | 2023-02-01 | 7.5 High |
| vRealize Log Insight contains a deserialization vulnerability. An unauthenticated malicious actor can remotely trigger the deserialization of untrusted data which could result in a denial of service. | ||||
| CVE-2022-45923 | 1 Opentext | 1 Opentext Extended Ecm | 2023-01-30 | 8.8 High |
| An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Common Gateway Interface (CGI) program cs.exe allows an attacker to increase/decrease an arbitrary memory address by 1 and trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker. | ||||
| CVE-2023-22850 | 1 Tiki | 1 Tiki | 2023-01-25 | 8.8 High |
| Tiki before 24.1, when the Spreadsheets feature is enabled, allows lib/sheet/grid.php PHP Object Injection because of an unserialize call. | ||||
| CVE-2022-46478 | 1 Datax-web Project | 1 Datax-web | 2023-01-23 | 9.8 Critical |
| The RPC interface in datax-web v1.0.0 and v2.0.0 to v2.1.2 contains no permission checks by default which allows attackers to execute arbitrary commands via crafted Hessian serialized data. | ||||
| CVE-2021-32828 | 1 Hyland | 1 Nuxeo | 2023-01-11 | 6.1 Medium |
| The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API. | ||||
| CVE-2021-32824 | 1 Apache | 1 Dubbo | 2023-01-10 | 9.8 Critical |
| Apache Dubbo is a java based, open source RPC framework. Versions prior to 2.6.10 and 2.7.10 are vulnerable to pre-auth remote code execution via arbitrary bean manipulation in the Telnet handler. The Dubbo main service port can be used to access a Telnet Handler which offers some basic methods to collect information about the providers and methods exposed by the service and it can even allow to shutdown the service. This endpoint is unprotected. Additionally, a provider method can be invoked using the `invoke` handler. This handler uses a safe version of FastJson to process the call arguments. However, the resulting list is later processed with `PojoUtils.realize` which can be used to instantiate arbitrary classes and invoke its setters. Even though FastJson is properly protected with a default blocklist, `PojoUtils.realize` is not, and an attacker can leverage that to achieve remote code execution. Versions 2.6.10 and 2.7.10 contain fixes for this issue. | ||||