Remote Code Execution Via JSON Deserialization

jodd-json is vulnerable to remote code execution via JSON deserialization. The JSON parser supports polymorphic deserialization when setClassMetadataName is set, which allows an attacker to execute arbitrary code using a crafted JSON request...

PT-2018-16294 · Samsung · Samsung Smartthings Hub

Name of the Vulnerable Software and Affected Versions: Samsung SmartThings Hub STH-ETH-250 version 0.20.17 Description: A buffer overflow issue exists in the camera "replace" feature of the video-core's HTTP server. This occurs because the video-core process incorrectly extracts the URL field fro...

Samsung SmartThings Hub video-core HTTP server buffer overflow vulnerability (CNVD-2018-17077)

Samsung SmartThings Hub is a smart home management device from Samsung, South Korea. video-core HTTP server is one of the HTTP servers. A buffer overflow vulnerability exists in the camera 'update' function of the video-core HTTP server in the Samsung SmartThings Hub, which stems from the...

Samsung SmartThings Hub video-core HTTP server buffer overflow vulnerability (CNVD-2018-17075)

Samsung SmartThings Hub is a smart home management device from Samsung, South Korea. video-core HTTP server is one of the HTTP servers. A buffer overflow vulnerability exists in the camera 'create' function of the video-core HTTP server in the Samsung SmartThings Hub, which stems from the...

Samsung SmartThings Hub video-core HTTP server buffer overflow vulnerability (CNVD-2018-15900)

Samsung SmartThings Hub is a smart home management device from Samsung, South Korea. video-core HTTP server is one of the HTTP servers. A buffer overflow vulnerability exists in the credentials handler of the video-core HTTP server in the Samsung SmartThings Hub, which originates from the...

Samsung SmartThings Hub video-core HTTP server buffer overflow vulnerability (CNVD-2018-15899)

Samsung SmartThings Hub is a smart home management device from Samsung, South Korea. video-core HTTP server is one of the HTTP servers. A buffer overflow vulnerability exists in the credentials handler of the video-core HTTP server in the Samsung SmartThings Hub, which originates from the...

Samsung SmartThings Hub video-core HTTP server buffer overflow vulnerability (CNVD-2018-14288)

Samsung SmartThings Hub is a smart home management device from Samsung, South Korea. video-core HTTP server is one of the HTTP servers. A buffer overflow vulnerability exists in the /cameras/XXXX/clips handler of the video-core HTTP server in the Samsung SmartThings Hub, which originates when the...

Samsung SmartThings Hub video-core HTTP server buffer overflow vulnerability (CNVD-2018-14287)

Samsung SmartThings Hub is a smart home management device from Samsung, South Korea. video-core HTTP server is one of the HTTP servers. A buffer overflow vulnerability exists in the /cameras/XXXX/clips handler of the video-core HTTP server in the Samsung SmartThings Hub, which originates when the...

Samsung SmartThings Hub video-core HTTP server buffer overflow vulnerability (CNVD-2018-14280)

Samsung SmartThings Hub is a smart home management device from Samsung, South Korea. video-core HTTP server is one of the HTTP servers. A buffer overflow vulnerability exists in the credentials handler of the video-core HTTP server in the Samsung SmartThings Hub, which originates from the...

Command injection

OS command injection in the guest Wi-Fi settings feature in /cgi-bin/luci on Xiaomi R3P before 2.14.5, R3C before 2.12.15, R3 before 2.22.15, and R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data...

CVE-2018-11481

TP-LINK IPC TL-IPC223P-6, TL-IPC323K-D, TL-IPC325KP-, and TL-IPC40A-4 devices allow authenticated remote code execution via crafted JSON data because /usr/lib/lua/luci/torchlight/validator.lua does not block various punctuation characters...

UBUNTU-CVE-2018-7489

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of th...

CVE-2018-7489

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of th...

CVE-2017-17485

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper,...

FasterXML jackson-databind Arbitrary Code Execution Vulnerability

FasterXML Jackson is a U.S. FasterXML company for Java data processing tools . Jackson-databind is one of the components with data binding capabilities . A security vulnerability exists in FasterXML jackson-databind versions 2.8.10 and earlier and versions 2.9.x through 2.9.3. A remote attacker c...

CVE-2017-15707

In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload...

CVE-2017-16516

In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajlstringdecode function in yajlencode.c. This results in the whole ruby process terminating and potentially a denial of service...

UBUNTU-CVE-2017-16516

In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the yajlstringdecode function in yajlencode.c. This results in the whole ruby process terminating and potentially a denial of service...

JSON gem has Improper Input Validation vulnerability

The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service resource consumption or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain...

GHSA-X457-CW4H-HQ5F JSON gem has Improper Input Validation vulnerability

The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service resource consumption or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain...