Total
1806 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-14702 | 1 Branaghgroup | 1 Ers Data System | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to "com.branaghgroup.ecers.update.UpdateRequest" object deserialization. | |||||
| CVE-2016-3690 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload. | |||||
| CVE-2016-6809 | 1 Apache | 2 Nutch, Tika | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization. | |||||
| CVE-2017-12149 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data. | |||||
| CVE-2017-11284 | 1 Adobe | 1 Coldfusion | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11. | |||||
| CVE-2017-9830 | 1 Code42 | 1 Crashplan | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the org.apache.commons.ssl.rmi.DateRMI Java class, because (upon instantiation) it creates an RMI server that listens on a TCP port and deserializes objects sent by TCP clients. | |||||
| CVE-2017-9424 | 1 Ideablade | 1 Breeze.server.net | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| IdeaBlade Breeze Breeze.Server.NET before 1.6.5 allows remote attackers to execute arbitrary code, related to use of TypeNameHandling in JSON deserialization. | |||||
| CVE-2017-2292 | 1 Puppet | 1 Mcollective | 2025-04-20 | 7.5 HIGH | 9.0 CRITICAL |
| Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior. | |||||
| CVE-2017-11283 | 1 Adobe | 1 Coldfusion | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. This affects Update 4 and earlier versions for ColdFusion 2016, and Update 12 and earlier versions for ColdFusion 11. | |||||
| CVE-2017-8804 | 1 Gnu | 1 Glibc | 2025-04-20 | 7.8 HIGH | 7.5 HIGH |
| The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779. NOTE: [Information provided from upstream and references | |||||
| CVE-2017-5941 | 1 Node-serialize Project | 1 Node-serialize | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize() function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression (IIFE). | |||||
| CVE-2017-14035 | 1 Crushftp | 1 Crushftp | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| CrushFTP 8.x before 8.2.0 has a serialization vulnerability. | |||||
| CVE-2015-7501 | 1 Redhat | 15 Data Grid, Jboss A-mq, Jboss Bpm Suite and 12 more | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. | |||||
| CVE-2017-5641 | 2 Apache, Hp | 2 Flex Blazeds, Xp Command View Advanced Edition | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution. | |||||
| CVE-2016-10304 | 1 Sap | 1 Netweaver Application Server Java | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to cause a denial of service (out-of-memory error and service instability) via a crafted serialized Java object, as demonstrated by serial.cc3, aka SAP Security Note 2315788. | |||||
| CVE-2016-8736 | 1 Apache | 1 Openmeetings | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack. | |||||
| CVE-2016-6793 | 1 Apache | 1 Wicket | 2025-04-20 | 6.4 MEDIUM | 9.1 CRITICAL |
| The DiskFileItem class in Apache Wicket 6.x before 6.25.0 and 1.5.x before 1.5.17 allows remote attackers to cause a denial of service (infinite loop) and write to, move, and delete files with the permissions of DiskFileItem, and if running on a Java VM before 1.3.1, execute arbitrary code via a crafted serialized Java object. | |||||
| CVE-2017-1000248 | 1 Redis-store | 1 Redis-store | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Redis-store <=v1.3.0 allows unsafe objects to be loaded from redis | |||||
| CVE-2017-4914 | 1 Vmware | 1 Vsphere Data Protection | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| VMware vSphere Data Protection (VDP) 6.1.x, 6.0.x, 5.8.x, and 5.5.x contains a deserialization issue. Exploitation of this issue may allow a remote attacker to execute commands on the appliance. | |||||
| CVE-2017-12796 | 1 Openmrs | 1 Openmrs | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute operating system commands by crafting malicious XML payloads, as demonstrated by a single admin/reports/reportSchemaXml.form request. | |||||