CVE-2020-9547

A flaw was found in jackson-databind 2.x. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

CVE-2020-10968

A flaw was found in jackson-databind 2.x prior to version 2.9.10.4. The interaction between serialization gadgets and typing is mishandled in the bus-proxy. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Mitigation The following...

CVE-2020-10672

A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.4. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

CVE-2020-11619

A flaw was found in jackson-databind 2.x. The interaction between serialization gadgets and typing is mishandled. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Mitigation The following conditions are needed for an exploit, we...

Deserialization of Untrusted Data in Groovy

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized...

GHSA-GXG6-RC6C-V673 Improper Input Validation in BeanShell

BeanShell bsh before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler...

Improper Input Validation in BeanShell

BeanShell bsh before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler...

NewStart CGSL CORE 5.05 / MAIN 5.05 : xstream Multiple Vulnerabilities (NS-SA-2022-0033)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has xstream packages installed that are affected by multiple vulnerabilities: - XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to an unspecified vulnerability in Java SE ( CVE-2022-21341)

Summary An unspecified vulnerability in Java SE - CVE-2022-21341 related to the Serialization component has been identified that affects IBM Watson Assistant for IBM Cloud Pak for Data. Java SE is used by IBM Watson Assistant for IBM Cloud Pak for Data as part of its platform for developement of...

[SECURITY] Fedora 36 Update: golang-github-googleapis-gnostic-0.5.3-5.fc36

This package contains a Go command line tool which converts JSON and YAML OpenAPI descriptions to and from equivalent Protocol Buffer representations. Protocol Buffers provide a language-neutral, platform-neutral, extensible mechanism for serializing structured data. gnostic's Protocol Buffer...

GHSA-Q8J7-FJH7-25V5 Symfony collectionCascaded and collectionCascadedDeeply fields security bypass

When using the Validator component, if Symfony\Component\Validator\Mapping\Cache\ApcCache is enabled or any other cache implementing Symfony\Component\Validator\Mapping\Cache\CacheInterface, some information is lost during serialization the collectionCascaded and the...

Symfony collectionCascaded and collectionCascadedDeeply fields security bypass

When using the Validator component, if Symfony\Component\Validator\Mapping\Cache\ApcCache is enabled or any other cache implementing Symfony\Component\Validator\Mapping\Cache\CacheInterface, some information is lost during serialization the collectionCascaded and the...

Denial Of Service (DoS)

Gson is vulnerable to denial of service. The vulnerability exists in internal java classes due to not preventing writing a replacement JDK object during serialization which allows an attacker to cause an application crash...

IBM Java 7.0 < 7.0.10.70 / 7.1 < 7.1.4.70 / 8.0 < 8.0.6.15 Multiple Vulnerabilities (Jan 14, 2020)

The version of IBM Java installed on the remote host is prior to 7.0 7.0.10.70 / 7.1 7.1.4.70 / 8.0 8.0.6.15. It is, therefore, affected by multiple vulnerabilities as referenced in the Oracle January 14 2020 CPU advisory. - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE...

IBM Java 7.0 < 7.0.10.65 / 7.1 < 7.1.4.65 / 8.0 < 8.0.6.25 Multiple Vulnerabilities

The version of IBM Java installed on the remote host is prior to 7.0 7.0.10.65 / 7.1 7.1.4.65 / 8.0 8.0.6.25. It is, therefore, affected by multiple vulnerabilities as referenced in the Oracle April 14 2020 CPU advisory. - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE...

IBM Java 6.0 < 6.0.16.25 / 6.1 < 6.1.8.25 / 7.0 < 7.0.9.40 / 7.1 < 7.1.3.40 / 8.0 < 8.0.3.0 Multiple Vulnerabilities (Apr 19, 2016)

The version of IBM Java installed on the remote host is prior to 6.0 6.0.16.25 / 6.1 6.1.8.25 / 7.0 7.0.9.40 / 7.1 7.1.3.40 / 8.0 8.0.3.0. It is, therefore, affected by multiple vulnerabilities as referenced in the Oracle April 19 2016 CPU advisory. - Unspecified vulnerability in Oracle Java SE...

IBM Java 6.0 < 6.0.16.55 / 6.1 < 6.1.8.55 / 7.0 < 7.0.15.5 / 7.1 < 7.1.5.5 / 8.0 < 8.0.5.5 Multiple Vulnerabilities

The version of IBM Java installed on the remote host is prior to 6.0 6.0.16.55 / 6.1 6.1.8.55 / 7.0 7.0.15.5 / 7.1 7.1.5.5 / 8.0 8.0.5.5. It is, therefore, affected by multiple vulnerabilities as referenced in the Oracle October 17 2017 CPU advisory. - inffast.c in zlib 1.2.8 might allow...

[SECURITY] Fedora 34 Update: golang-github-googleapis-gnostic-0.5.3-5.fc34

This package contains a Go command line tool which converts JSON and YAML OpenAPI descriptions to and from equivalent Protocol Buffer representations. Protocol Buffers provide a language-neutral, platform-neutral, extensible mechanism for serializing structured data. gnostic's Protocol Buffer...

Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Java

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Java. Vulnerability Details CVEID: CVE-2022-21365 DESCRIPTION: An unspecified vulnerability in Java SE related to the ImageIO component could allow an unauthenticated attacker to cause a denial of service...

Design/Logic Flaw

Discourse Assign is a plugin for assigning users to a topic in Discourse, an open-source messaging platform. Prior to version 1.0.1, the UserBookmarkSerializer serialized the whole User / Group object, which leaked some private information. The data was only being serialized to people who could...