Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the BigDecimal and BigInteger handling in the MessageSerializer class. An attacker can execute arbitrary code or manipulate application behavior by providing crafted serialized objects. Details...

ClipBucket 安全漏洞

ClipBucket is an open source and freely downloadable PHP script from MacWarrior Open Source. It is used for sharing video sites. A security vulnerability exists in ClipBucket 5.5.1-199 and earlier versions, which stems from vulnerability to a PHP deserialization vulnerability and improper input...

GHSA-V64W-96P6-FX7W Apache Geronimo JMX Remoting functionality allows remote code execution in 3.x before v3.0.1

The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server WAS Community Edition 3.0.0.3 and other products, does not properly implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to...

GHSA-J65F-MVGW-PRP2 Deserialization of Untrusted Data in Apache OpenJPA

The BrokerFactory functionality in Apache OpenJPA 1.x before 1.2.3 and 2.x before 2.2.2 creates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by...

GHSA-6HGM-866R-3CJV Insecure Deserialization in Apache Commons Collection

Serialized-object interfaces in Java applications using the Apache Commons Collections ACC library may allow remote attackers to execute arbitrary commands via a crafted serialized Java object...

CVE-2019-4279

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 160445...

client: unchecked deserialization in marshaller util

The hotrod java client in infinispan automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks...

client: unchecked deserialization in marshaller util

The hotrod java client in infinispan automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks...

DEBIAN-CVE-2015-7501

Red Hat JBoss A-MQ 6.x; BPM Suite BPMS 6.x; BRMS 6.x and 5.x; Data Grid JDG 6.x; Data Virtualization JDV 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works FSW 6.x; Operations Network JBoss ON 3.x; Portal 6.x; SOA Platform SOA-P 5.x; Web Server JWS 3.x;...

Gradle Arbitrary Code Execution Vulnerability

Gradle is a set of JVM-based project build tools , it supports maven, Ivy repository and so on. A security vulnerability exists in the Object Socket Wrapper.java file in Gradle version 2.12. Remote attackers can exploit the vulnerability to execute arbitrary code with the help of specially crafte...

HPE Release Control Apache Commons Collections Arbitrary Code Execution Vulnerability

HPE Release Control is a set of decision support solutions.Apache Commons Collections is a component in Commons Proper of the Apache Commons project that extends or adds to the Java collections framework. An unspecified security vulnerability in ACC for HPE Release Control allows remote attackers...

groovy: remote execution of untrusted code in class MethodClosure

A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code...

CVE-2015-0692

Cisco Web Security Appliance WSA devices with software 8.5.0-ise-147 do not properly restrict use of the pickle Python module during certain tunnel-status checks, which allows local users to execute arbitrary Python code and gain privileges via crafted serialized objects, aka Bug ID CSCut39230...