Exploit for Deserialization of Untrusted Data in Oracle Weblogic_Server

CVE-2018-2628 is a remote command execution vulnerability in Oracle WebLogic Server. The exploit code is written in Python and uses the CVE-2018-2628 Weblogic GetShell.py script to exploit the vulnerability. The script sends a specially crafted request to the vulnerable server, which allows an...

Security Bulletin: Vulnerability in Apache Commons affects WebSphere Message Broker and IBM Integration Bus (CVE-2015-7450)

Summary An Apache Commons Collections vulnerability for handling Java object deserialization was addressed in the Global Cache component of WebSphere Message Broker and IBM Integration Bus Vulnerability Details CVEID: CVE-2015-7450 DESCRIPTION: Apache Commons Collections could allow a remote...

Security Bulletin: Vulnerability in Apache Commons affects IBM i (CVE-2015-7450)

Summary An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM i. Vulnerability Details CVEID: CVE-2015-7450 DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the...

Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM Sterling Secure Proxy (CVE-2016-3092)

Summary An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Sterling Secure Proxy. Vulnerability Details CVEID: CVE-2016-3092 DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload...

Deserialization of untrusted data

A vulnerability in the Java deserialization function used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An...

CVE-2019-12630 Cisco Security Manager Java Deserialization Vulnerability

A vulnerability in the Java deserialization function used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An...

Deserialization of untrusted data

The java.io.ObjectInputStream is known to cause Java serialisation issues. This issue here is exposed by the "webtools/control/httpService" URL, and uses Java deserialization to perform code execution. In the HttpEngine, the value of the request parameter "serviceContext" is passed to the...

CVE-2019-14224

An issue was discovered in Alfresco Community Edition 5.2 201707. By leveraging multiple components in the Alfresco Software applications, an exploit chain was observed that allows an attacker to achieve remote code execution on the victim machine. The attacker must upload malicious Solr...

Deserialization of untrusted data

An issue was discovered in Alfresco Community Edition 5.2 201707. By leveraging multiple components in the Alfresco Software applications, an exploit chain was observed that allows an attacker to achieve remote code execution on the victim machine. The attacker must upload malicious Solr...

NewStart CGSL MAIN 4.05 : xmlrpc3 Vulnerability (NS-SA-2019-0136)

The remote NewStart CGSL host, running version MAIN 4.05, has xmlrpc3 packages installed that are affected by a vulnerability: - A flaw was discovered in the Apache XML-RPC ws-xmlrpc library that deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacker could use...

NewStart CGSL CORE 5.04 / MAIN 5.04 : xmlrpc Vulnerability (NS-SA-2019-0037)

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has xmlrpc packages installed that are affected by a vulnerability: - A flaw was discovered in the Apache XML-RPC ws-xmlrpc library that deserializes untrusted data when enabledForExtensions setting is enabled. A remote attacke...

Arbitrary Code Execution

Apache Commons Collections ACC library is vulnerable to Arbitrary Code Execution. The vulnerability is possible because it directly uses ACC, or contains ACC, in the classpath, which allows an attacker to gain read access to unnecessary information in debug messages by sending modified requests...

Command Injection

Jenkins is vulnerable to command injection. The attack exists because it allows an injection of serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-.jar file and the "Groovy variant in 'ysoserial'"...

Oracle WebLogic Server 10.3.6.0 / 12.1.3.0 / 12.2.1.3 Java Object Deserialization RCE (CVE-2018-3191)

Binary data oracleweblogicservercve20183191.nbin...

Security Bulletin: Vulnerability in Apache Commons affects IBM System Networking Switch Center (CVE-2015-7450)

Summary An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM System Networking Switch Center. Vulnerability Details Summary An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM System...

Security Bulletin: Vulnerability in Apache Commons affects IBM Fabric Manager (IFM) (CVE-2015-7450)

Summary An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Fabric Manager IFM. Vulnerability Details Summary An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Fabric Manager IFM...

Oracle Business Intelligence Publisher Multiple Vulnerabilities (April 2018 CPU)

The version of Oracle Business Intelligence Publisher running on the remote host is 11.1.1.7.x prior to 11.1.1.7.180417 or 11.1.1.9.x prior to 11.1.1.9.180417, similarly, versions 12.2.1.2.x prior to 12.2.1.2.180116 and 12.2.1.3.x prior to 12.2.1.3.180116 are affected as noted in the April 2018...

Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks

Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows to specify such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in various...

GHSA-GV5F-CJW9-5VXG Camel-xstream component in Apache Camel can allow remote attackers to execute arbitrary commands

The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request...

Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization

Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization. De-serializing untrusted data can lead to security flaws...