CVE-2023-23930 vantage6's Pickle serialization is insecure

vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version...

CVE-2023-23930 vantage6's Pickle serialization is insecure

vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are affected. Version...

GHSA-MVJ3-QRQH-CJVR CometBFT PeerState JSON serialization deadlock

Impact An internal modification to the way struct PeerState is serialized to JSON introduced a deadlock when new function MarshallJSON is called. This function can be called from two places: 1. Via logs Setting the consensus logging module to "debug" level should not happen in production, and...

CVE-2023-34450

CometBFT is a Byzantine Fault Tolerant BFT middleware that takes a state transition machine and replicates it on many machines. An internal modification made in versions 0.34.28 and 0.37.1 to the way struct PeerState is serialized to JSON introduced a deadlock when new function MarshallJSON is...

Format string

CometBFT is a Byzantine Fault Tolerant BFT middleware that takes a state transition machine and replicates it on many machines. An internal modification made in versions 0.34.28 and 0.37.1 to the way struct PeerState is serialized to JSON introduced a deadlock when new function MarshallJSON is...

CVE-2023-34450

CometBFT (CVE-2023-34450) describes a deadlock in PeerState JSON serialization introduced by a change in versions 0.34.28 and 0.37.1. The deadlock can be triggered either by logging to JSON (consensus module set to debug) or by the RPC dump_consensus_state, potentially halting the node. The issue...

CVE-2023-34450 CometBFT PeerState JSON serialization deadlock

CometBFT is a Byzantine Fault Tolerant BFT middleware that takes a state transition machine and replicates it on many machines. An internal modification made in versions 0.34.28 and 0.37.1 to the way struct PeerState is serialized to JSON introduced a deadlock when new function MarshallJSON is...

CVE-2023-34450 CometBFT PeerState JSON serialization deadlock

CometBFT is a Byzantine Fault Tolerant BFT middleware that takes a state transition machine and replicates it on many machines. An internal modification made in versions 0.34.28 and 0.37.1 to the way struct PeerState is serialized to JSON introduced a deadlock when new function MarshallJSON is...

PT-2023-24886 · Cometbft · Cometbft

Name of the Vulnerable Software and Affected Versions: CometBFT versions 0.34.28 through 0.34.28 CometBFT versions 0.37.1 through 0.37.1 Description: An internal modification to the way struct PeerState is serialized to JSON introduced a deadlock when the new function MarshallJSON is called. This...

FasterXML jackson-databind 安全漏洞

FasterXML jackson-databind is FasterXML company based on a JAVA can be XML and JSON and other data formats and JAVA objects for the conversion of the library . Jackson can be easily converted into Java objects and json objects and xml documents , the same can be json, xml conversion into Java...

[SECURITY] Fedora 36 Update: golang-github-pquerna-ffjson-0-0.10.20200730gitaa0246c.fc36

Ffjson generates static MarshalJSON and UnmarshalJSON functions for structures in Go. The generated functions reduce the reliance upon runtime reflection to do serialization and are generally 2 to 3 times faster. In cases where ffjson doesn't understand a Type involved, it falls back to...

[SECURITY] Fedora 35 Update: golang-github-pquerna-ffjson-0-0.9.20200730gitaa0246c.fc35

Ffjson generates static MarshalJSON and UnmarshalJSON functions for structures in Go. The generated functions reduce the reliance upon runtime reflection to do serialization and are generally 2 to 3 times faster. In cases where ffjson doesn't understand a Type involved, it falls back to...

Unsafe deserialisation in the PKI implementation scheme of NVFlare

Impact NVFLARE contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact...

Fat Free CRM allows remote attackers to obtain sensitive information via a direct request

Fat Free CRM before 0.12.1 does not restrict JSON serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.json...

GHSA-4XQ9-VW89-P5CX Fat Free CRM allows remote attackers to obtain sensitive information via a direct request

Fat Free CRM before 0.12.1 does not restrict JSON serialization, which allows remote attackers to obtain sensitive information via a direct request, as demonstrated by a request for users/1.json...

XStream Arbitrary Code Execution Vulnerability (CNVD-2021-67817)

XStream is an open source Java class library that is mainly used to serialize objects to XML JSON or deserialize them to objects.XStream 1.4.17 and earlier versions have an arbitrary code execution vulnerability that can be exploited by attackers to cause arbitrary code execution...

SUSE-SU-2021:0906-1 Security update for SUSE Manager Server 4.1

This update fixes the following issues: cobbler: - Fix string replacement for @@xyz@@ - Better performing string replacements grafana-formula: - Set supported to false for unsupported systems bsc1182001 - Add SLES 15 SP3 and openSUSE Leap 15.3 to supported versions mgr-libmod: - Fix 'listmodules'...

Design/Logic Flaw

This affects the package @scullyio/scully before 1.0.9. The transfer state is serialised with the JSON.stringify function and then written into the HTML page...

Armink Struct2json 缓冲区错误漏洞

struct2json is an open source C structure and JSON fast intertransfer library , you can quickly achieve structure objects and JSON objects between serialization and deserialization requirements. A buffer overflow vulnerability exists in versions of struct2json prior to 2020-11-18. Currently there...

Information Disclosure

play-java is vulnerable to information disclosure. The vulnerability exists when performing JSON serialization of classes with protected or private fields through the Java API...