CVE-2022-26133

SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java...

Bitbucket Data Center - Java Deserialization Vulnerability In Hazelcast - CVE-2022-26133

Update: 2022/04/08 23:00 UTC Coordinated Universal Time, +0 hours Assigned CVE-2022-26133 to this vulnerability, which was determined to be similar to CVE-2016-10750 yet slightly different and specific to Bitbucket Note the new CVE assignment does not change any other information in this advisory...

Deserialization of Untrusted Data in Apache Dubbo

Apache Dubbo prior to 2.6.9 and 2.7.10 by default supports generic calls to arbitrary methods exposed by provider interfaces. These invocations are handled by the GenericFilter which will find the service and method specified in the first arguments of the invocation and use the Java Reflection AP...

VulnCheck KEV: CVE-2018-0147

A vulnerability in Java deserialization used by Cisco Secure Access Control System ACS could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software...

GHSA-JH5G-9M4V-9VV9 Insecure Java Deserialization in Apache Karaf

Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions JMX. JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened against unauthenticated...

CVE-2021-41766 Insecure Java Deserialization in Apache Karaf

Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions JMX. JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened against unauthenticated...

Log4shell Vulnerability is the Coal in Our Stocking for 2021

Log4Shell Vulnerability is the Coal in our Stocking for 2021 By Steve Povolny and Douglas McKee · January 19, 2022 Overview On December 9, a vulnerability CVE-2021-44228 was released on Twitter along with a PoC on GitHub for the Apache Log4j logging library. The bug was originally disclosed to...

Code injection

In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct a malicious java.util.Dictionary object that can cause 100%...

CVE-2019-19810

Zoom Call Recording 6.3.1 from Eleveo is vulnerable to Java Deserialization attacks targeting the inbuilt RMI service. A remote unauthenticated attacker can exploit this vulnerability by sending crafted RMI requests to execute arbitrary code on the target host...

CVE-2019-19810

Zoom Call Recording 6.3.1 from Eleveo is vulnerable to Java Deserialization attacks targeting the inbuilt RMI service. A remote unauthenticated attacker can exploit this vulnerability by sending crafted RMI requests to execute arbitrary code on the target host...

CVE-2019-19810

CVE-2019-19810 affects Zoom Call Recording 6.3.1 from Eleveo. The vulnerability is tied to Java deserialization via the product’s built‑in RMI service, enabling a remote unauthenticated attacker to send crafted RMI requests and execute arbitrary code on the target host. The connected records conf...

CVE-2019-19810

Zoom Call Recording 6.3.1 from Eleveo is vulnerable to Java Deserialization attacks targeting the inbuilt RMI service. A remote unauthenticated attacker can exploit this vulnerability by sending crafted RMI requests to execute arbitrary code on the target host...

ZOOM Zoom Call Recording 代码问题漏洞

ZOOM Zoom Call Recording is a scalable session recording management solution from Zoom ZOOM USA. The product supports features such as recording, managing and finding session records. A code issue exists in Zoom Call Recording version 6.3.1, which stems from the software's built-in RMI service th...

marshalsec

This repository is an offensive tool for Java deserialization exploitation. It is a Java-based tool that exploits Java object deserialization vulnerabilities, which can lead to remote code execution RCE and other security issues. The tool includes payload generators for various Java marshalling...

PocCollect

This is a Python-based proof-of-concept POC collection repository. The repository contains a variety of POCs for different vulnerabilities, including Struts2, Heartbleed, and Java Deserialization. The POCs are designed to be used for educational purposes only and should not be used for malicious...

jexboss

This is an offensive tool for Java Deserialization Vulnerabilities. The tool is called JexBoss and is used to verify and exploit vulnerabilities in JBoss Application Server and other Java platforms, frameworks, and applications. The tool is written in Python and has a command-line interface. It c...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the writeReplace method in internal classes, which may allow a denial of service attack if combined with another exploit. Details Serialization is a process of converting an object into a sequence o...

Cisco Security Manager Java Deserialization (cisco-sa-csm-java-rce-mWJEedcD)

A remote code execution vulnerability exists in Cisco Security Manager due to insecure deserialization of user-supplied content. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. Note that Nessus has not tested for this issue but has...

CVE-2021-36981

In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code...

CVE-2021-36981

In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code...