Total
1839 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-44682 | 1 Veritas | 1 Enterprise Vault | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue (6 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14079). | |||||
| CVE-2021-44681 | 1 Veritas | 1 Enterprise Vault | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue (5 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14080). | |||||
| CVE-2021-44680 | 1 Veritas | 1 Enterprise Vault | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue (4 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14075). | |||||
| CVE-2021-44679 | 1 Veritas | 1 Enterprise Vault | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue (3 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14074). | |||||
| CVE-2021-44678 | 1 Veritas | 1 Enterprise Vault | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue (2 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14076). | |||||
| CVE-2021-44677 | 1 Veritas | 1 Enterprise Vault | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| An issue (1 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications. These TCP services can be exploited due to deserialization behavior that is inherent to the .NET Remoting service. A malicious attacker can exploit both TCP remoting services and local IPC services on the Enterprise Vault Server. This vulnerability is mitigated by properly configuring the servers and firewall as described in the vendor's security alert for this vulnerability (VTS21-003, ZDI-CAN-14078). | |||||
| CVE-2021-44029 | 1 Quest | 1 Kace Desktop Authority | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Quest KACE Desktop Authority before 11.2. This vulnerability allows attackers to execute remote code through a deserialization exploitation in the RadAsyncUpload function of ASP.NET AJAX. An attacker can leverage this vulnerability when the encryption keys are known (due to the presence of CVE-2017-11317, CVE-2017-11357, or other means). A default setting for the type whitelisting feature in more current versions of ASP.NET AJAX prevents exploitation. | |||||
| CVE-2021-43853 | 1 Ajax.net Professional Project | 1 Ajax.net Professional | 2024-11-21 | 3.5 LOW | 8.7 HIGH |
| Ajax.NET Professional (AjaxPro) is an AJAX framework available for Microsoft ASP.NET. Affected versions of this package are vulnerable to JavaScript object injection which may result in cross site scripting when leveraged by a malicious user. The affected core relates to JavaScript object creation when parsing json input. Releases before version 21.12.22.1 are affected. A workaround exists that replaces one of the core JavaScript files embedded in the library. See the GHSA-5q7q-qqw2-hjq7 for workaround details. | |||||
| CVE-2021-43360 | 1 Sun | 1 Ehrd | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| Sunnet eHRD e-mail delivery task schedule’s serialization function has inadequate input object validation and restriction, which allows a post-authenticated remote attacker with database access privilege, to execute arbitrary code and control the system or interrupt services. | |||||
| CVE-2021-43297 | 1 Apache | 1 Dubbo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian will log out some imformation for users, which may cause remote command execution. This issue affects Apache Dubbo Apache Dubbo 2.6.x versions prior to 2.6.12; Apache Dubbo 2.7.x versions prior to 2.7.15; Apache Dubbo 3.0.x versions prior to 3.0.5. | |||||
| CVE-2021-42698 | 1 Azeotech | 1 Daqfactory | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| Project files are stored memory objects in the form of binary serialized data that can later be read and deserialized again to instantiate the original objects in memory. Malicious manipulation of these files may allow an attacker to corrupt memory. | |||||
| CVE-2021-42631 | 3 Apple, Linux, Printerlogic | 4 Macos, Linux Kernel, Virtual Appliance and 1 more | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| PrinterLogic Web Stack versions 19.1.1.13 SP9 and below deserializes attacker controlled leading to pre-auth remote code execution. | |||||
| CVE-2021-42550 | 4 Netapp, Qos, Redhat and 1 more | 6 Cloud Manager, Service Level Manager, Snap Creator Framework and 3 more | 2024-11-21 | 8.5 HIGH | 6.6 MEDIUM |
| In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. | |||||
| CVE-2021-42392 | 3 Debian, H2database, Oracle | 3 Debian Linux, H2, Communications Cloud Native Core Policy | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution. | |||||
| CVE-2021-42130 | 1 Ivanti | 1 Avalanche | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 allows an attacker with access to the Inforail Service to perform arbitrary code execution. | |||||
| CVE-2021-42127 | 1 Ivanti | 1 Avalanche | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A deserialization of untrusted data vulnerability exists in Ivanti Avalanche before 6.3.3 using Inforail Service allows arbitrary code execution via Data Repository Service. | |||||
| CVE-2021-42090 | 1 Zammad | 1 Zammad | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Zammad before 4.1.1. The Form functionality allows remote code execution because deserialization is mishandled. | |||||
| CVE-2021-41766 | 1 Apache | 1 Karaf | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX). JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened against unauthenticated deserialization attacks, the implementation used by Apache Karaf is not protected against this kind of attack. The impact of Java deserialization vulnerabilities strongly depends on the classes that are available within the targets class path. Generally speaking, deserialization of untrusted data does always represent a high security risk and should be prevented. The risk is low as, by default, Karaf uses a limited set of classes in the JMX server class path. It depends of system scoped classes (e.g. jar in the lib folder). | |||||
| CVE-2021-41588 | 1 Gradle | 1 Gradle | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. The attacker must have the encryption and signing keys. | |||||
| CVE-2021-41419 | 1 Qvis | 4 Dvr, Dvr Firmware, Nvr and 1 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| QVIS NVR DVR before 2021-12-13 is vulnerable to Remote Code Execution via Java deserialization. | |||||