CVE-2017-1000353

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java SignedObject object to the Jenkins CLI, that would be deserialized...

[SECURITY] Fedora 26 Update: xstream-1.4.9-5.fc26

XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...

Oracle OpenJDK Runtime Environment Build 1.8.0_112-b15 Denial Of Service

Application: Java SE Vendor: Oracle Bug: DoS Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 17.01.2017 Reference: Oracle CPU Jan 2017 Author: Roman Shalymov 1. ADVISORY INFORMATION Title: Oracle OpenJDK - Java Serialization DoS Advisory ID: ERPSCAN-17-006 Risk: High...

Oracle OpenJDK Runtime Environment 1.8.0_112-b15 - Java Serialization Denial Of Service

''' Application: Java SE Vendor: Oracle Bug: DoS Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 17.01.2017 Reference: Oracle CPU Jan 2017 Author: Roman Shalymov 1. ADVISORY INFORMATION Title: Oracle OpenJDK - Java Serialization DoS Advisory ID: ERPSCAN-17-006 Risk: High...

Apache shiro 1.2.4 version of remote command execution vulnerability details-vulnerability warning-the black bar safety net

Search, I found online about apache shiro 1.2.4 version of the vulnerability consolidation report to write too simple, is perhaps the bigwigs speaking of professional, I this noob can't read the reason, specially in the local do a full show. First from the shiro official get shiro 1.2.4 of the...

FreeBSD : groovy -- remote execution of untrusted code/DoS vulnerability (4af92a40-db33-11e6-ae1b-002590263bf5)

The Apache Groovy project reports : When an application with Groovy on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when...

Oracle OpenJDK - Java Serialization DoS vulnerability

Application: Oracle OpenJDK Vendor: Oracle Bug: DoS Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 17.01.2017 Reference: Oracle CPU Jan 2017 Authors: Roman Shalymov VULNERABILITY INFORMATION Class: Denial of Service Remotely Exploitable: Yes Locally Exploitable: Yes CVS...

groovy -- remote execution of untrusted code/DoS vulnerability

The Apache Groovy project reports: When an application with Groovy on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when...

BeanShell: Arbitrary code execution

Background BeanShell is a small, free, embeddable Java source interpreter with object scripting language features, written in Java. Description An application that includes BeanShell on the classpath may be vulnerable if another part of the application uses Java serialization or XStream to...

Shiro RememberMe 1.2.4 deserialize the result of command execution vulnerability

Author: rungobier 知道创宇404安全实验室 概述 Apache Shiro 在 Java 的权限及安全验证框架中占用重要的一席之地，在它编号为550的 issue 中爆出严重的 Java 反序列化漏洞。下面，我们将模拟还原此漏洞的场景以及分析过程。 0x01 漏洞场景还原 首先，需要获取 Apache Shiro 存在漏洞的源代码，具体操作如下: git clone https://github.com/apache/shiro.git git checkout shiro-root-1.2.4 cd ./shiro/samples/web...

PayPal Fixes CSRF Vulnerability in PayPal.me

PayPal recently fixed a vulnerability on its PayPal.me site that could have let an attacker change a user’s profile without permission. The issue stemmed from a cross-site request forgery CSRF vulnerability that existed in PayPal.me, a site the company launched last year to let its users request...

Esoteric Software kryo Security Bypass Vulnerability

Esoteric Software kryo is Esoteric Software's set of object serialization framework for Java . A security bypass vulnerability exists in Esoteric Software kryo, which can be exploited by an attacker to bypass security restrictions and perform unauthorized operations...

groovy: remote execution of untrusted code in class MethodClosure

A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code...

CVE-2016-4369

HPE Discovery and Dependency Mapping Inventory DDMi 9.30, 9.31, 9.32, 9.32 update 1, 9.32 update 2, and 9.32 update 3 allows remote authenticated users to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library...

[SECURITY] Fedora 22 Update: xstream-1.4.9-1.fc22

XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...

[SECURITY] Fedora 23 Update: xstream-1.4.9-1.fc23

XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...

CVE-2016-0686

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization...

DEBIAN-CVE-2016-2510

BeanShell bsh before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler...

CVE-2016-2510

BeanShell bsh before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler...

Xxe

BeanShell bsh before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler...