[SECURITY] Fedora 33 Update: xstream-1.4.18-2.fc33

XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...

[SECURITY] Fedora 34 Update: xstream-1.4.18-2.fc34

XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...

CVE-2021-0685

In ParsedIntentInfo of ParsedIntentInfo.java, there is a possible parcel serialization/deserialization mismatch due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:...

CVE-2021-0685

In ParsedIntentInfo of ParsedIntentInfo.java, there is a possible parcel serialization/deserialization mismatch due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:...

CVE-2021-0685

In ParsedIntentInfo of ParsedIntentInfo.java, there is a possible parcel serialization/deserialization mismatch due to unsafe deserialization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:...

The vulnerability of the Flask software’s extension relates to insecure privilege management. This allows attackers to access sensitive data, compromise its integrity, and cause service failures.

The vulnerability of the Flask extension relates to an error in the use of Pickle for serialization. Exploiting this vulnerability can allow a remote attacker to access sensitive data, compromise its integrity, and cause service failures...

Debian DLA-2769-1 : libxstream-java - LTS security update

The remote Debian 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-2769 advisory. - XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute...

A8: Insecure Deserialization ❗️ — Top 10 OWASP 2017

A8: Insecure Deserialization ❗️ — Top 10 OWASP 2017 Introduction ‌Insecure serialization has historically been seen as a super hard to grasp vulnerability, almost like a black box but while it does contain it’s challenges, so does every other issue type on the OWASP top 10. serialization is a...

SolarWinds Network Performance Monitor FromJson Deserialization of Untrusted Data Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor. Authentication is required to exploit this vulnerability. The specific flaw exists within the SolarWinds.Serialization library. The issue results from the lack...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 used by IBM Security Guardium. These issues were disclosed as part of the IBM Java SDK updates in October 2020. Vulnerability Details CVEID: CVE-2020-14779 DESCRIPTION: An unspecified vulnerability in Java ...

Metasploit Wrap-Up

Confluence Server OGNL Injection Our own wvu along with Jang added a module that exploits an OGNL injection CVE-2021-26804in Atlassian Confluence's WebWork component to execute commands as the Tomcat user. CVE-2021-26804 is a critical remote code execution vulnerability in Confluence Server and...

Security check skip in Apache Dubbo

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check when enabled and reaching a deserialization operation with native jav...

GHSA-Q897-9JXF-JG9R Security check skip in Apache Dubbo

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check when enabled and reaching a deserialization operation with native jav...

CVE-2021-37579

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check when enabled and reaching a deserialization operation with native jav...

Deserialization of untrusted data

The Dubbo Provider will check the incoming request and the corresponding serialization type of this request meet the configuration set by the server. But there's an exception that the attacker can use to skip the security check when enabled and reaching a deserialization operation with native jav...

CVE-2021-37579

The CVE-2021-37579 entry concerns Apache Dubbo’s Dubbo Provider deserialization flow. The issue allows an attacker to bypass the configured security check and reach a deserialization operation using native Java serialization when an incoming request and its serialization type aren’t properly vali...

Apache Dubbo 代码问题漏洞

Apache Dubbo is the United States Apache Apache Foundation of a lightweight Java-based RPC Remote Procedure Call framework. The product provides interface-based remote calling , fault tolerance and load balancing and automatic service registration and discovery. A code issue vulnerability exists ...

Hessian protocol configuration vulnerability in Apache Dubbo

In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without...

GHSA-CPX9-4RWV-486V Hessian protocol configuration vulnerability in Apache Dubbo

In Apache Dubbo, users may choose to use the Hessian protocol. The Hessian protocol is implemented on top of HTTP and passes the body of a POST request directly to a HessianSkeleton: New HessianSkeleton are created without any configuration of the serialization factory and therefore without...

OESA-2021-1337 xstream security update

XStream is a simple library to serialize objects to XML and back again. A high level facade is supplied that simplifies common use cases. Custom objects can be serialized without need for specifying mappings. Speed and low memory footprint are a crucial part of the design, making it suitable for...