Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution Exploit

Apache Struts versions 2.5 through 2.5.12 using the REST plugin are vulnerable to a Java deserialization attack in the XStream library. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Apache...

groovy: remote execution of untrusted code in class MethodClosure

A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code...

CentOS 7 : groovy (CESA-2017:2486)

An update for groovy is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...

OracleVM 3.2 : xen (OVMSA-2017-0149)

The remote OracleVM system is missing necessary patches to address critical security updates : - From e26560a4b056dad6d85ffd9ebfad9565f210a9cc Mon Sep 17 00:00:00 2001 From: Jan Beulich Date: Wed, 30 May 2012 09:22:17 +0100 Subject: PATCH gnttab: don't use domain lock for serialization Instead us...

groovy security update

CentOS Errata and Security Advisory CESA-2017:2486 An update for groovy is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

CVE-2017-14035

CrushFTP 8.x before 8.2.0 has a serialization vulnerability...

CVE-2017-14035

CrushFTP 8.x before 8.2.0 has a serialization vulnerability...

Design/Logic Flaw

CrushFTP 8.x before 8.2.0 has a serialization vulnerability...

CVE-2017-14035

CrushFTP 8.x before 8.2.0 is affected by a serialization vulnerability. The connected records identify CrushFTP as the affected product and reference a serialization flaw in versions prior to 8.2.0. The supplied documents do not provide root-cause details, exploit information, impact specifics, o...

CVE-2017-14035

CrushFTP 8.x before 8.2.0 has a serialization vulnerability...

Sobelow - Security-Focused Static Analysis for the Phoenix Framework

Sobelow is a security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent introducing a number of common vulnerabilities. Currently Sobelow detects...

MGASA-2017-0311 Updated groovy and groovy18 packages fix security vulnerability

It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization an...

BSA-2017-420

Security Advisory ID : BSA-2017-420 Component : Java Revision : 2.0: Interim Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: Serialization. Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit:...

OpenJDK: unbounded memory allocation in BasicAttribute deserialization (Serialization, 8174105)

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: Serialization. Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker...

Arbitrary Code Execution Through Serialization

QOS.ch Logback is vulnerable to arbitrary code execution through serialization. It is possible to write untrusted objects from the Logger, allowing arbitrary code execution. This is related to CVE-2017-5929...

groovy: remote execution of untrusted code in class MethodClosure

A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code...

OpenJDK: unbounded memory allocation in CodeSource deserialization (Serialization, 8174113)

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: Serialization. Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker...

OpenJDK: unbounded memory allocation in BasicAttribute deserialization (Serialization, 8174105)

Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE subcomponent: Serialization. Supported versions that are affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131; JRockit: R28.3.14. Easily exploitable vulnerability allows unauthenticated attacker...

Java deserialization crisis has passed, this time to the is. Net deserialization vulnerability-vulnerability warning-the black bar safety net

2016 Java applications and developers by deserialization vulnerability to the devastating effects, and now . NET ecosystem also are suffering from the same crisis. A new problem exists in . NET code library to handle deserialization of operation, the attacker can also by this vulnerability in the...

Session Cache API - Critical - Multiple vulnerabilities - DRUPAL-SA-CONTRIB-2017-065

This module does not safely deal with serialization. CVE identifiers issued ACVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes. Versions affected Session Cache API 7.x-1.4 Drupal core is not affected. If you do not use the contributed...