Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2021-41616
HistorySep 30, 2021 - 8:15 a.m.

CVE-2021-41616

2021-09-3008:15:06
CWE-502
[email protected]
web.nvd.nist.gov
45
cve-2021-41616
apache
db
ddlutils
binaryobjectshelper
insecurity
sql
binary
varbinary
longvarbinary
blob
objectinputstream
security
nvd

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.218 Low

EPSS

Percentile

96.5%

JSON

Apache DB DdlUtils 1.0 included a BinaryObjectsHelper that was intended for use when migrating database data with a SQL data type of BINARY, VARBINARY, LONGVARBINARY, or BLOB between databases using the ddlutils features. The BinaryObjectsHelper class was insecure and used ObjectInputStream.readObject without validating that the input data was safe to deserialize. Please note that DdlUtils is no longer being actively developed. To address the insecurity of the BinaryObjectHelper class, the following changes to DdlUtils have been made: (1) BinaryObjectsHelper.java has been deleted from the DdlUtils source repository and the DdlUtils feature of propagating data of SQL binary types is therefore no longer present in DdlUtils; (2) The ddlutils-1.0 release has been removed from the Apache Release Distribution Infrastructure; (3) The DdlUtils web site has been updated to indicate that DdlUtils is now available only as source code, not as a packaged release.

Affected configurations

Vulners
NVD
Node
apacheddlutilsRange1.0
CPENameOperatorVersion
apache:ddlutilsapache ddlutilseq1.0

CNA Affected

[
  {
    "product": "Apache DB ddlutils",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "Apache DB ddlutils 1.0"
      }
    ]
  }
]

Related

cnvd 1
osv 2
cvelist 1
nvd 1
f5 1
prion 1
github 1
oracle 1
cnvd
cnvd
Apache DB DdlUtils code issue vulnerability
2021-10-14 00:00:00
osv
osv
CVE-2021-41616
2021-09-30 08:15:06
Deserialization of Untrusted Data in org.apache.ddlutils:ddlutils
2021-10-04 20:12:30
cvelist
cvelist
CVE-2021-41616 Apache ddlutils 1.0 readobject vulnerability
2021-09-30 07:55:11
nvd
nvd
CVE-2021-41616
2021-09-30 08:15:06
f5
f5
K14234227 : Apache DB DdlUtils vulnerability CVE-2021-41616
2021-11-15 00:00:00
prion
prion
Design/Logic Flaw
2021-09-30 08:15:00
github
github
Deserialization of Untrusted Data in org.apache.ddlutils:ddlutils
2021-10-04 20:12:30
oracle
oracle
Oracle Critical Patch Update Advisory - April 2024
2024-04-16 00:00:00

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.218 Low

EPSS

Percentile

96.5%

JSON
Related for CVE-2021-41616
cnvd1osv2cvelist1nvd1f51prion1github1oracle1