Server side request forgery (ssrf)

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly...

CVE-2020-17531

A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to...

CVE-2020-17531 Deserialization flaw in EOL Tapestry 4.

A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to...

PT-2020-15035 · Apache · Apache Tapestry

Name of the Vulnerable Software and Affected Versions: Apache Tapestry version 4 Description: A Java Serialization vulnerability was found in Apache Tapestry 4, where it attempts to deserialize the sp parameter before invoking the page's validate method, leading to deserialization without...

UBUNTU-CVE-2020-14779

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Serialization. Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via...

ysoserial

This is a Java tool called ysoserial, which is a proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. The tool is designed to create payloads that can be used to execute arbitrary code on a Java application that performs unsafe deserialization of objects...

GHSA-MVR2-9PJ6-7W5J Denial of Service in Google Guava

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class when serialized with Java serialization...

Denial of Service in Google Guava

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class when serialized with Java serialization...

OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549)

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Serialization. Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via...

Protection Licensing Toolkit ReadyAPI 3.2.5 Code Execution / Deserialization

Advisory ID: SYSS-2019-039 Product: Protection Licensing Toolkit, SoapUI/LoadUI/ServiceV Pro Manufacturer: jProductivity LLC, SmartBear Software Affected Versions: - ReadyAPI 3.2.5 Tested Versions: ReadyAPI 3.2.5 Vulnerability Type: Unsafe deserialization/remote code execution CWE-502 Risk Level:...

Insecure Deserialization

camel-netty is vulnerable to insecure deserialization. If no codec is specified, it allows objects deserialization using java serialization and deserialization by default rather than restricting only to Strings...

DEBIAN-CVE-2020-2757

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE component: Serialization. Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via...

CVE-2020-2757

CVE-2020-2757 affects Oracle Java SE/SE Embedded (Serialization). Vulnerable: Java SE: 7u251, 8u241, 11.0.6, 14; SE Embedded: 8u241. Impact: unauthenticated network access leading to partial DoS on Java SE/SE Embedded. Root cause: serialization-related handling in the affected component; sandboxe...

PT-2020-2543

Name of the Vulnerable Software and Affected Versions Java SE versions 7u251, 8u241, 11.0.6, and 14 Java SE Embedded version 8u241 Description The issue is related to the Serialization component and is difficult to exploit, allowing an unauthenticated attacker with network access via multiple...

GLSA-202003-01 : Groovy: Arbitrary code execution

The remote host is affected by the vulnerability described in GLSA-202003-01 Groovy: Arbitrary code execution It was discovered that there was a vulnerability within the Java serialization/deserialization process. Impact : An attacker, by crafting a special serialized object, could execute...

OpenJDK: Serialization filter changes via jdk.serialFilter property modification (Serialization, 8231422)

A flaw was found in the serialization component of OpenJDK handled serialization filter. A process-wide filter could have been modified by setting jdk.serialFilter system property at runtime, possibly leading to a bypass of the intended filter during deserialization...

Remote Code Execution

tapestry-core is vulnerable to remote code execution. Access to the classpath asset files is not restricted, allowing an attacker to guess the path to a known file in the classpath and retrieve the contents. It can also potentially allow the attacker to perform a Java serialization attack if the...

Apache Spark RPC Protocol deserialization vulnerability analysis-vulnerability warning-the black bar safety net

Front a burst of Spark official release of the title for the CVE-2018-17190: Unsecured Apache Spark standalone executes user code of the security Bulletin. The announcement indicated the vulnerability affects version to full version, and does not indicate a repaired version, only the relevant...

Security Bulletin: A vulnerability in Open Source BeanShell has been addressed by IBM Kenexa LMS (CVE-2016-2510)

Summary A vulnerability in Open Source BeanShell has been addressed by LMS Vulnerability Details CVEID: CVE-2016-2510 DESCRIPTION: BeanShell could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of untrusted data using Java serialization or XStream. ...

DEBIAN-CVE-2018-10237

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class when serialized with Java serialization...