Total
1806 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-5003 | 1 Apache | 1 Ws-xmlrpc | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to execute arbitrary code via a crafted serialized Java object in an <ex:serializable> element. | |||||
| CVE-2016-3415 | 1 Synacor | 1 Zimbra Collaboration Suite | 2025-04-20 | 6.4 MEDIUM | 9.1 CRITICAL |
| Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276. | |||||
| CVE-2016-0360 | 1 Ibm | 1 Websphere Mq Jms | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457. | |||||
| CVE-2017-5830 | 1 Revive-adserver | 1 Revive Adserver | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Revive Adserver before 4.0.1 allows remote attackers to execute arbitrary code via serialized data in the cookies related to the delivery scripts. | |||||
| CVE-2017-12612 | 1 Apache | 1 Spark | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe deserialization of data received by its socket. This makes applications launched programmatically using the launcher API potentially vulnerable to arbitrary code execution by an attacker with access to any user account on the local machine. It does not affect apps run by spark-submit or spark-shell. The attacker would be able to execute code as the user that ran the Spark application. Users are encouraged to update to version 2.2.0 or later. | |||||
| CVE-2017-3159 | 1 Apache | 1 Camel | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. | |||||
| CVE-2016-8749 | 1 Apache | 1 Camel | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. | |||||
| CVE-2017-5983 | 1 Atlassian | 1 Jira | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object. | |||||
| CVE-2017-5954 | 1 Serialize-to-js Project | 1 Serialize-to-js | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the serialize-to-js package 0.5.0 for Node.js. Untrusted data passed into the deserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE). | |||||
| CVE-2017-5645 | 4 Apache, Netapp, Oracle and 1 more | 79 Log4j, Oncommand Api Services, Oncommand Insight and 76 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. | |||||
| CVE-2017-3066 | 1 Adobe | 1 Coldfusion | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution. | |||||
| CVE-2017-9805 | 3 Apache, Cisco, Netapp | 7 Struts, Digital Media Manager, Hosted Collaboration Solution and 4 more | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. | |||||
| CVE-2014-8731 | 1 Phpmemcachedadmin Project | 1 Phpmemcachedadmin | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| PHPMemcachedAdmin 1.2.2 and earlier allows remote attackers to execute arbitrary PHP code via vectors related "serialized data and the last part of the concatenated filename," which creates a file in webroot. | |||||
| CVE-2017-10803 | 1 Odoo | 1 Odoo | 2025-04-20 | 8.5 HIGH | 6.5 MEDIUM |
| In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used. | |||||
| CVE-2017-7293 | 1 Dolby | 2 Dolby Audio X2, Dolby Audio X3 | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| The Dolby DAX2 and DAX3 API services are vulnerable to a privilege escalation vulnerability that allows a normal user to get arbitrary system privileges, because these services have .NET code for DCOM. This affects Dolby Audio X2 (DAX2) 1.0, 1.0.1, 1.1, 1.1.1, 1.2, 1.3, 1.3.1, 1.3.2, 1.4, 1.4.1, 1.4.2, 1.4.3, and 1.4.4 and Dolby Audio X3 (DAX3) 1.0 and 1.1. An example affected driver is Realtek Audio Driver 6.0.1.7898 on a Lenovo P50. | |||||
| CVE-2017-12628 | 1 Apache | 1 James Server | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| The JMX server embedded in Apache James, also used by the command line client is exposed to a java de-serialization issue, and thus can be used to execute arbitrary commands. As James exposes JMX socket by default only on local-host, this vulnerability can only be used for privilege escalation. Release 3.0.1 upgrades the incriminated library. | |||||
| CVE-2016-8744 | 1 Apache | 1 Brooklyn | 2025-04-20 | 9.0 HIGH | 8.8 HIGH |
| Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration in Brooklyn before 0.10.0, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability. | |||||
| CVE-2017-1000053 | 1 Plug Project | 1 Plug | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session. | |||||
| CVE-2017-1000034 | 1 Akka | 1 Akka | 2025-04-20 | 9.3 HIGH | 8.1 HIGH |
| Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserialization attack in its Remoting component resulting in remote code execution in the context of the ActorSystem. | |||||
| CVE-2017-5878 | 1 Red5 | 1 Media Server | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data. | |||||