Deserialization of untrusted data

nGrinder before 3.5.9 allows to accept serialized Java objects from unauthenticated users, which could allow remote attacker to execute arbitrary code via unsafe Java objects deserialization...

CVE-2024-28213

CVE-2024-28213 concerns nGrinder pre-3.5.9, where the application accepts serialized Java objects from unauthenticated users, enabling unsafe Java object deserialization that could lead to remote code execution. Affected software: nGrinder versions before 3.5.9. Root cause: lack of input filterin...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : apache-parent, apache-sshd (SUSE-SU-2024:0224-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0224-1 advisory. - Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD =...

SUSE-SU-2024:0224-1 Security update for apache-parent, apache-sshd

This update for apache-parent, apache-sshd fixes the following issues: apache-parent was updated from version 28 to 31: - Version 31: New Features: + Added maven-checkstyle-plugin to pluginManagement Improvements: + Set minimalMavenBuildVersion to 3.6.3 - the minimum used by plugins + Using an SP...

Exploit for Code Injection in Apache Ofbiz

ofbiz-CVE-2023-49070-RCE-POC This is a pre-auth RCE POC For C...

CVE-2023-47174

Thorn SFTP gateway 3.4.x before 3.4.4 uses Pivotal Spring Framework for Java deserialization of untrusted data, which is not supported by Pivotal, a related issue to CVE-2016-1000027. Also, within the specific context of Thorn SFTP gateway, this leads to remote code execution...

SUSE CVE-2016-6814

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized...

PT-2023-30342 · Pivotal · Spring Framework

Name of the Vulnerable Software and Affected Versions: Thorn SFTP gateway versions 3.4.x through 3.4.3 Description: The issue arises from the use of Pivotal Spring Framework for Java deserialization of untrusted data, which is not supported by Pivotal. This leads to remote code execution within t...

CVE-2023-47174

Thorn SFTP gateway 3.4.x before 3.4.4 uses Pivotal Spring Framework for Java deserialization of untrusted data, which is not supported by Pivotal, a related issue to CVE-2016-1000027. Also, within the specific context of Thorn SFTP gateway, this leads to remote code execution...

Thorn SFTP Gateway Security Vulnerability

Thorn SFTP Gateway is a solution for secure file transfer from Thorn designed to simplify and enhance the security and manageability of file transfers. A security vulnerability exists in Thorn SFTP Gateway version 3.4.x prior to 3.4.4 that stems from the presence of Java deserialization of...

CVE-2023-47174

Thorn SFTP gateway 3.4.x before 3.4.4 uses Pivotal Spring Framework for Java deserialization of untrusted data, which is not supported by Pivotal, a related issue to CVE-2016-1000027. Also, within the specific context of Thorn SFTP gateway, this leads to remote code execution...

CVE-2023-47174

CVE-2023-47174 affects Thorn SFTP gateway 3.4.x up to 3.4.3. The underlying issue is Java deserialization of untrusted data within the embedded Pivotal Spring Framework, which is not supported by Pivotal. This deserialization chain can lead to remote code execution in Thorn SFTP gateway environme...

OpenJDK: IOR deserialization issue in CORBA (8303384)

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: CORBA. Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf; Oracle GraalVM Enterprise Edition: 20.3.11 and 21.3.7. Easily exploitable vulnerability allows...

Security Bulletin: The IBM® Engineering Lifecycle Engineering product is affected as Java deserialization filters (JEP 290) ignored during IBM ORB deserialization (CVE-2022-40609)

Summary The IBM® Engineering Lifecycle Engineering product is as IBM ORB does not honour JEP 290 deserialization filters when deserializing serialised object data. This exposes the Java process to a variety of attacks ranging from denial of service to remote code execution via "gadgets" in third...

Security Bulletin: Multiple vulnerabilities in Akka affect IBM Application Performance Management products.

Summary Akka actor jar is used by IBM Application Performance Management. The vulnerabilities in the product component have been addressed. Vulnerability Details CVEID:CVE-2017-1000034 DESCRIPTION: Akka could allow a remote attacker to execute arbitrary code on the system, caused by a Java...

Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0 Multiple Vulnerabilities (APSB16-05)

The version of Adobe Experience Manager installed on the remote host is either 5.6.1, 6.0.0, or 6.1.0. It is, therefore, affected by multiple vulnerabilities as referenced in the APSB16-05 advisory. - Adobe Experience Manager version 6.1 is affected by a cross-site scripting vulnerability that...

CVE-2023-4528: Java Deserialization Vulnerability in JSCAPE MFT (Fixed)

In August 2023, Rapid7 discovered a Java deserialization vulnerability in Redwood Software’s JSCAPE MFT secure managed file transfer product. The vulnerability was later assigned CVE-2023-4528. It can be exploited by sending an XML-encoded Java object to the Manager Service port, which, by defaul...

mina-sshd: Java unsafe deserialization vulnerability

A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server...

Security Bulletin: IBM Java SDK update forJava deserialization filters (JEP 290) ignored during IBM ORB deserialization

Summary There are vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 8 for Java deserialization filters JEP 290 ignored during IBM ORB deserialization that are used by Rational Software Architect Designer and Rational Software Architect Designer for Websphere Software. These issues we...

Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution RCE issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's...