Vulnerabilities (CVE)

CWE filter

CWE-502

Filter

273 total CVE
CVE Vendors Products Updated CVSS
CVE-2016-6809 1 Apache 1 Tika 2019-10-15 7.5
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
CVE-2019-16891 1 Liferay 1 Liferay Portal 2019-10-10 6.5
Liferay Portal CE 6.2.5 allows remote command execution because of deserialization of a JSON payload.
CVE-2019-17206 2019-10-10 7.5
Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts.
CVE-2019-9212 1 Antfin 1 Sofa-hessian 2019-10-10 7.5
** DISPUTED ** SOFA-Hessian through 4.0.2 allows remote attackers to execute arbitrary commands via a crafted serialized Hessian object because blacklisting of com.caucho.naming.QName and com.sun.org.apache.xpath.internal.objects.XString is...
CVE-2019-6338 2 Drupal, Debian 2 Drupal, Debian Linux 2019-10-09 6.0
In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to...
CVE-2019-5434 2019-10-09 7.5
An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of...
CVE-2019-12799 1 Shopware 1 Shopware 2019-10-09 6.5
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can...
CVE-2019-12630 1 Cisco 1 Security Manager 2019-10-09 7.5
A vulnerability in the Java deserialization function used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of...
CVE-2019-10202 1 Redhat 1 Jboss Enterprise Application Platform 2019-10-09 7.5
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for...
CVE-2019-10173 1 Xstream Project 1 Xstream 2019-10-09 7.5
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when...
CVE-2018-7529 1 Osisoft 2 Pi Vision, Pi Data Archive 2019-10-09 7.8
A Deserialization of Untrusted Data issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Unauthenticated users may modify deserialized data to send custom requests that crash the server.
CVE-2018-6331 1 Facebook 1 Buck 2019-10-09 7.5
Buck parser-cache command loads/saves state using Java serialized object. If the state information is maliciously crafted, deserializing it could lead to code execution. This issue affects Buck versions prior to v2018.06.25.01.
CVE-2018-3784 1 Cryo Project 1 Cryo 2019-10-09 7.5
A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization.
CVE-2018-1904 1 Ibm 1 Websphere Application Server 2019-10-09 7.5
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through an administrative client class with a serialized object from untrusted sources. IBM X-Force ID: 152533.
CVE-2018-1851 1 Ibm 1 Websphere Application Server 2019-10-09 7.5
IBM WebSphere Application Server Liberty OpenID Connect could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization. By sending a specially-crafted request to the RP service, an attacker could exploit...
CVE-2018-1567 1 Ibm 1 Websphere Application Server 2019-10-09 7.5
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. IBM X-Force ID: 143024.
CVE-2018-1131 2 Infinispan, Redhat 2 Infinispan, Jboss Data Grid 2019-10-09 6.5
Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain...
CVE-2018-1051 1 Redhat 1 Resteasy 2019-10-09 6.8
It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider.
CVE-2018-19276 1 Openmrs 1 Openmrs 2019-10-09 10.0
OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.
CVE-2018-16476 2 Rubyonrails, Redhat 3 Active Job, Rails, Cloudforms 2019-10-09 5.0
A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This...