Total
1363 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17206 | 1 Redis Wrapper Project | 1 Redis Wrapper | 2019-12-09 | 7.5 HIGH | 9.8 CRITICAL |
| Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts. | |||||
| CVE-2019-4561 | 1 Ibm | 1 Security Identity Manager | 2019-11-22 | 9.3 HIGH | 8.8 HIGH |
| IBM Security Identity Manager 6.0.0 could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 166456. | |||||
| CVE-2019-1373 | 1 Microsoft | 1 Exchange Server | 2019-11-14 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability exists in Microsoft Exchange through the deserialization of metadata via PowerShell, aka 'Microsoft Exchange Remote Code Execution Vulnerability'. | |||||
| CVE-2019-8141 | 1 Magento | 1 Magento | 2019-11-07 | 6.5 MEDIUM | 7.2 HIGH |
| A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality. | |||||
| CVE-2019-18601 | 1 Openafs | 1 Openafs | 2019-11-06 | 5.0 MEDIUM | 7.5 HIGH |
| OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to denial of service from unserialized data access because remote attackers can make a series of VOTE_Debug RPC calls to crash a database server within the SVOTE_Debug RPC handler. | |||||
| CVE-2019-18364 | 1 Jetbrains | 1 Teamcity | 2019-11-01 | 7.5 HIGH | 9.8 CRITICAL |
| In JetBrains TeamCity before 2019.1.4, insecure Java Deserialization could potentially allow remote code execution. | |||||
| CVE-2019-13116 | 1 Mulesoft | 1 Mule Runtime | 2019-10-29 | 7.5 HIGH | 9.8 CRITICAL |
| The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections | |||||
| CVE-2017-14141 | 1 Kaltura | 1 Kaltura Server | 2019-10-17 | 6.5 MEDIUM | 7.2 HIGH |
| The wiki_decode Developer System Helper function in the admin panel in Kaltura before 13.2.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object. | |||||
| CVE-2019-5434 | 1 Revive-sas | 1 Revive Adserver | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| An attacker could send a specifically crafted payload to the XML-RPC invocation script and trigger the unserialize() call on the "what" parameter in the "openads.spc" RPC method. Such vulnerability could be used to perform various types of attacks, e.g. exploit serialize-related PHP vulnerabilities or PHP object injection. It is possible, although unconfirmed, that the vulnerability has been used by some attackers in order to gain access to some Revive Adserver instances and deliver malware through them to third party websites. This vulnerability was addressed in version 4.2.0. | |||||
| CVE-2019-12630 | 1 Cisco | 1 Security Manager | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the Java deserialization function used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of casuser. | |||||
| CVE-2018-7529 | 1 Osisoft | 1 Pi Data Archive | 2019-10-09 | 7.8 HIGH | 7.5 HIGH |
| A Deserialization of Untrusted Data issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Unauthenticated users may modify deserialized data to send custom requests that crash the server. | |||||
| CVE-2018-6331 | 1 Facebook | 1 Buck | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| Buck parser-cache command loads/saves state using Java serialized object. If the state information is maliciously crafted, deserializing it could lead to code execution. This issue affects Buck versions prior to v2018.06.25.01. | |||||
| CVE-2018-1904 | 1 Ibm | 1 Websphere Application Server | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through an administrative client class with a serialized object from untrusted sources. IBM X-Force ID: 152533. | |||||
| CVE-2018-1851 | 1 Ibm | 1 Websphere Application Server | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| IBM WebSphere Application Server Liberty OpenID Connect could allow a remote attacker to execute arbitrary code on the system, caused by improper deserialization. By sending a specially-crafted request to the RP service, an attacker could exploit this vulnerability to execute arbitrary code. IBM X-Force ID: 150999. | |||||
| CVE-2018-1567 | 1 Ibm | 1 Websphere Application Server | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources. IBM X-Force ID: 143024. | |||||
| CVE-2018-1131 | 2 Infinispan, Redhat | 2 Infinispan, Jboss Data Grid | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected. | |||||
| CVE-2018-1051 | 1 Redhat | 1 Resteasy | 2019-10-09 | 6.8 MEDIUM | 8.1 HIGH |
| It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider. | |||||
| CVE-2018-16476 | 2 Redhat, Rubyonrails | 2 Cloudforms, Rails | 2019-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| A Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1. | |||||
| CVE-2018-15616 | 1 Avaya | 1 Avaya Aura System Platform | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability in the Web UI component of Avaya Aura System Platform could allow a remote, unauthenticated user to perform a targeted deserialization attack that could result in remote code execution. Affected versions of System Platform includes 6.3.0 through 6.3.9 and 6.4.0 through 6.4.2. | |||||
| CVE-2018-15381 | 1 Cisco | 1 Unity Express | 2019-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| A Java deserialization vulnerability in Cisco Unity Express (CUE) could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to the listening Java Remote Method Invocation (RMI) service. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges. | |||||