CVE-2021-29508

Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information about a different type for the receiving end. And by doing so allowing the serializer to create any...

CVE-2021-29508

Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information about a different type for the receiving end. And by doing so allowing the serializer to create any...

Information disclosure

Due to how Wire handles type information in its serialization format, malicious payloads can be passed to a deserializer. e.g. using a surrogate on the sender end, an attacker can pass information about a different type for the receiving end. And by doing so allowing the serializer to create any...

CVE-2021-29508

CVE-2021-29508 affects Wire and its fork, due to insecure handling of type information in its serialization format. The vulnerability allows a deserializer to be influenced by a malicious payload, potentially enabling the creation of any type on the receiving end. Public descriptions across Red H...

USN-4940-1 pyyaml vulnerability

It was discovered that PyYAML incorrectly handled untrusted YAML files with the FullLoader loader. A remote attacker could possibly use this issue to execute arbitrary code...

Exploit for Deserialization of Untrusted Data in Apache Ofbiz

CVE-2020-9496 - RCE Because the 2 xmlrpc related requets in we...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK addressed in IBM Cloud Pak System (April 2020 updates)

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition used in IBM Cloud Pak System. These issues were disclosed as part of the IBM Java SDK quarterly April 2020 CPU updates. IBM Cloud Pak System addressed vulnerabilities. Vulnerability Details CVEID: CVE-2020-2604...

CentOS: Security Advisory for xstream (CESA-2021:1354)

The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

The REXML gem before 3.2.5 in Ruby before 2.6.7 2.7.x before 2.7.3 and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

...

Exploit for Deserialization of Untrusted Data in Apache Ofbiz

CVE-2020-9496 - RCE Because the 2 xmlrpc related requets in we...

CVE-2021-31919

An issue was discovered in the rkyv crate before 0.6.0 for Rust. When an archive is created via serialization, the archive content may contain uninitialized values of certain parts of a struct...

CVE-2021-31919

The CVE-2021-31919 entry concerns the Rust rkyv crate before version 0.6.0. During serialization, an archive may contain uninitialized values for certain struct parts, potentially affecting the serialized data’s integrity and confidentiality. The core affected component is rkyv (Rust). Publicly d...

CVE-2021-31919

An issue was discovered in the rkyv crate before 0.6.0 for Rust. When an archive is created via serialization, the archive content may contain uninitialized values of certain parts of a struct...

xstream security update

CentOS Errata and Security Advisory CESA-2021:1354 An update for xstream is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

Rust rkyv crate 安全漏洞

Rust is a general-purpose, compiled programming language from the Mozilla Foundation. A security vulnerability exists in Rust rkyv crate versions prior to 0.6.0, which stems from the fact that when an archive is created via serialization, the contents of the archive may contain uninitialized valu...

Security Bulletin: Security Vulnerabilities in IBM® Java SDK affects multiple IBM Rational products based on IBM Jazz technology

Summary There are multiple vulnerabilities in IBM® SDK Java Technology Edition, Version 1.6 and 1.7 that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management CLM, Rational DOORS Next Generation RDNG, Rational...

RUSTSEC-2021-0054 Archives may contain uninitialized memory

rkyv is a serialization framework that writes struct-compatible memory to be stored or transmitted. During serialization, struct padding bytes and unused enum bytes may not be initialized. These bytes may be written to disk or sent over unsecured channels...

Archives may contain uninitialized memory

rkyv is a serialization framework that writes struct-compatible memory to be stored or transmitted. During serialization, struct padding bytes and unused enum bytes may not be initialized. These bytes may be written to disk or sent over unsecured channels...

Apache OFBiz Insecure Deserialization(CVE-2021-26295)

An insecure deserialization vulnerability exists in Apache OFBiz. This vulnerability is due to Java serialization issues when processing requests. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request...

CVE-2021-29200 RCE vulnerability in latest Apache OFBiz due to Java serialisation using RMI

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack...