OpenJDK: Serialization filter changes via jdk.serialFilter property modification (Serialization, 8231422)

A flaw was found in the serialization component of OpenJDK handled serialization filter. A process-wide filter could have been modified by setting jdk.serialFilter system property at runtime, possibly leading to a bypass of the intended filter during deserialization...

CVE-2020-7248

libubox in OpenWrt before 18.06.7 and 19.x before 19.07.1 has a tagged binary data JSON serialization vulnerability that may cause a stack based buffer overflow...

CVE-2020-7248

libubox in OpenWrt before 18.06.7 and 19.x before 19.07.1 has a tagged binary data JSON serialization vulnerability that may cause a stack based buffer overflow...

Stack overflow

libubox in OpenWrt before 18.06.7 and 19.x before 19.07.1 has a tagged binary data JSON serialization vulnerability that may cause a stack based buffer overflow...

CVE-2020-7248

CVE-2020-7248 affects the OpenWrt libubox library. Multiple sources describe a stack-based buffer overflow caused by a vulnerability in the tagged binary data JSON serialization, specifically in JSON conversion of binary blobs via blobmsg_format_json. The issue impacts OpenWrt before 18.06.7 and ...

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect the WebSphere Message Broker V8.

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Versions 7.0.10.50 used by WebSphere Message Brokerr V8. These issues were disclosed as part of the IBM Java SDK updates in Oct 2019 Vulnerability Details CVEID: CVE-2019-2989 DESCRIPTION: An unspecified vulnerabilit...

EulerOS Virtualization for ARM 64 3.0.2.0 : libxml2 (EulerOS-SA-2020-1208)

According to the version of the libxml2 packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerability : - The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial ...

GLSA-202003-01 : Groovy: Arbitrary code execution

The remote host is affected by the vulnerability described in GLSA-202003-01 Groovy: Arbitrary code execution It was discovered that there was a vulnerability within the Java serialization/deserialization process. Impact : An attacker, by crafting a special serialized object, could execute...

Huawei EulerOS: Security Advisory for libxml2 (EulerOS-SA-2020-1208)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Remote Code Execution (RCE)

jackson-databind is vulnerable to deserialization of untrusted data that can lead to remote code execution. It is possible because untrusted classes org.apache.shiro.realm.jndi.JndiRealmFactory and org.apache.shiro.jndi.JndiObjectFactory were not filtered by default from the interaction between...

SUSE-SU-2020:0640-1 Security update for ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, mariadb, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-ironic, openstack-keystone, openstack-monasca-agent, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, openstack-sahara, openstack-trove, python-cinderlm, python-congressclient, python-designateclient, python-ironic-lib, python-networking-cisco, python-osc-lib, python-oslo.context, python-oslo.rootwrap, python-oslo.serialization, python-oslo.service, python-stevedore, python-taskflow, rubygem-crowbar-client, rubygem-pumavenv-openstack-swift

This update for ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova,...

Security Bulletin: Multiple security vulnerabilities in IBM Java SDK affects IBM Voice Gateway

Summary Multiple security vulnerabilities in IBM Java SDK affects IBM Voice Gateway Vulnerability Details CVEID: CVE-2020-2604 DESCRIPTION: An unspecified vulnerability in Java SE could allow an unauthenticated attacker to take control of the system. CVSS Base score: 8.1 CVSS Temporal Score: See:...

Groovy: Arbitrary code execution

Background A multi-faceted language for the Java platform Description It was discovered that there was a vulnerability within the Java serialization/deserialization process. Impact An attacker, by crafting a special serialized object, could execute arbitrary code. Workaround There is no known...

Debian DLA-2135-1 : jackson-databind security update

The following CVEs were reported for jackson-databind source package. CVE-2020-9546 FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig aka shaded hikari-config...

Debian: Security Advisory (DLA-2135-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] [DLA 2135-1] jackson-databind security update

Package : jackson-databind Version : 2.4.2-2+deb8u12 CVE ID : CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 The following CVEs were reported for jackson-databind source package. CVE-2020-9546 FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and...

jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the HikariDataSource gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...

Exchange Control Panel Viewstate Deserialization

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'bindata' class MetasploitModule 'Exchange Control Panel Viewstate Deserialization', 'Description' = %q This module exploits a .NET serialization vulnerability i...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2019 CPU ( CVE-2019-2978, CVE-2019-2983)

Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 7 used by IBM Tivoli System Automation Application Manager 4.1.0.0, 4.1.0.1 . These issues were disclosed as part of the IBM Java SDK updates in Oct 2019. There are multiple vulnerabilities in IBM SDK Java...

Deserialization Of Untrusted Object

jackson-databind is vulnerable to deserialization of untrusted data. It is possible because untrusted class org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig aka shaded hikari-config was not filtered by default from the interaction between serialization gadgets and polymorphic typing...