EUVD-2020-0438

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig aka ibatis-sqlmap...

CVE-2020-9547

The CVE refers to FasterXML jackson-databind 2.x prior to 2.9.10.4, where handling of serialization gadgets and typing leads to deserialization vulnerabilities. The vulnerability affects the jackson-databind component (IBM/Oracle/NVD context lists critical impacts to confidentiality, integrity, a...

CVE-2020-9547

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig aka ibatis-sqlmap...

CVE-2020-9548

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig aka anteros-core...

CVE-2020-9548

CVE-2020-9548 (jackson-databind 2.x prior to 2.9.10.4) is described in IBM/Cloudera documentation as a deserialization-type issue tied to br.com.anteros.dbcp.AnterosDBCPConfig (anteros-core). The impact is high (CVE-3.x 9.8, CVSSv3) with potential RCE/data integrity concerns via gadget typing int...

CVE-2020-9548

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig aka anteros-core...

PT-2020-3306 · Fasterxml +7 · Jackson-Databind +7

Name of the Vulnerable Software and Affected Versions: FasterXML jackson-databind versions prior to 2.9.10.4 jackson-databind versions 2.7.9.7 and earlier jackson-databind versions 2.8.11.6 and earlier debian debian linux, fasterxml jackson-databind, netapp active iq unified manager, oracle autov...

[SECURITY] Fedora 31 Update: PyYAML-5.3-2.fc31

YAML is a data serialization format designed for human readability and interaction with scripting languages. PyYAML is a YAML parser and emitter for Python. PyYAML features a complete YAML 1.1 parser, Unicode support, pickle support, capable extension API, and sensible error messages. PyYAML...

Exchange Control Panel ViewState Deserialization

This module exploits a .NET serialization vulnerability in the Exchange Control Panel ECP web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of...

Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20200227)

Security Fixes : - OpenJDK: Use of unsafe RSA-MD5 checksum in Kerberos TGS Security, 8229951 CVE-2020-2601 - OpenJDK: Serialization filter changes via jdk.serialFilter property modification Serialization, 8231422 CVE-2020-2604 - OpenJDK: Improper checks of SASL message properties in GssKrb5Base...

RHEL 6 : java-1.7.0-openjdk (RHSA-2020:0632)

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0632 advisory. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security...

java security update

CentOS Errata and Security Advisory CESA-2020:0632 An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detail...

Design/Logic Flaw

An administrative application user of or application user with write access to Aruba Airwave VisualRF is able to obtain code execution on the AMP platform. This is possible due to the ability to overwrite a file on disk which is subsequently deserialized by the Java application component...

Important: Red Hat Security Advisory: java-1.7.0-openjdk security update

An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

OpenJDK: Serialization filter changes via jdk.serialFilter property modification (Serialization, 8231422)

A flaw was found in the serialization component of OpenJDK handled serialization filter. A process-wide filter could have been modified by setting jdk.serialFilter system property at runtime, possibly leading to a bypass of the intended filter during deserialization...

OpenJDK: Incorrect exception processing during deserialization in BeanContextSupport (Serialization, 8224909)

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Serialization. Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via...

SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2020:0456-1)

This update for java-171-ibm fixes the following issues : Java was updated to 7.1 Service Refresh 4 Fix Pack 60 bsc1162972, bsc1160968. Security issues fixed : CVE-2020-2583: Fixed a serialization vulnerability in BeanContextSupport bsc1162972. CVE-2020-2593: Fixed an incorrect check in...

Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2020-1345)

The version of java-1.8.0-openjdk installed on the remote host is prior to 1.8.0.242.b08-0.50. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2020-1345 advisory. Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Networking...

Amazon Linux 2 : java-1.8.0-openjdk (ALAS-2020-1396)

The version of java-1.8.0-openjdk installed on the remote host is prior to 1.8.0.242.b08-0. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2020-1396 advisory. Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Networking. Support...

Gadgetinspector - A Byte Code Analyzer For Finding Deserialization Gadget Chains In Java Applications

This project inspects Java libraries and classpaths for gadget chains. Gadgets chains are used to construct exploits for deserialization vulnerabilities. By automatically discovering possible gadgets chains in an application's classpath penetration testers can quickly construct exploits and...