EUVD-2020-0604

Malware in sbrugna...

com.twitter.ambrose:ambrose-hive (>=0.2.6 <=0.3.0), org.securegraph:securegraph-accumulo (>=0.5.0 <=0.8.1) +5 more potentially affected by CVE-2014-3627 via org.apache.hadoop:hadoop-client (>=0.23.10 <=0.23.9)

org.apache.hadoop:hadoop-client MAVEN version =0.23.10, =0.2.6, =0.5.0, =0.5.0, =0.5.0, =0.6.0, =0.5.0, =0.5.0, =0.8.1 Source cves: CVE-2014-3627 Source advisory: OSV:GHSA-JPMF-8CJ2-595G...

org.apache.hadoop:hadoop-client (>=0.23.7 <=0.23.11), org.apache.hama:hama-yarn (>=0.5.0 <=0.6.2) +6 more potentially affected by CVE-2013-2192 via org.apache.hadoop:hadoop-common (>=0.23.1 <=0.23.8)

org.apache.hadoop:hadoop-common MAVEN version =0.23.1, =0.23.7, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.6.0, =0.5.0, =0.5.0, =0.8.1 Source cves: CVE-2013-2192 Source advisory: OSV:GHSA-PXV5-5VMP-3JJ4...

org.apache.hadoop:hadoop-client (=0.23.10), org.apache.hama:hama-yarn (>=0.5.0 <=0.6.2) +6 more potentially affected by CVE-2014-0229 via org.apache.hadoop:hadoop-common (>=0.23.1 <=0.23.10)

org.apache.hadoop:hadoop-common MAVEN version =0.23.1, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.6.0, =0.5.0, =0.5.0, =0.8.1 Source cves: CVE-2014-0229 Source advisory: OSV:GHSA-9R7G-325H-MXRM...

GHSA-V2RG-8CWR-75G8 Deserializer tampering in Apache Dubbo

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following t...

CVE-2021-25641

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following t...

Code injection

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following t...

CVE-2021-25641 Dubbo Zookeeper does not check serialization id

Each Apache Dubbo server will set a serialization id to tell the clients which serialization protocol it is working on. But for Dubbo versions before 2.7.8 or 2.6.9, an attacker can choose which serialization id the Provider will use by tampering with the byte preamble flags, aka, not following t...

OSV-2021-812 Uncaught exception in com.esotericsoftware.kryo.serializers.FieldSerializer.read

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34733 Crash type: Uncaught exception Crash state: com.esotericsoftware.kryo.serializers.FieldSerializer.read com.esotericsoftware.kryo.Kryo.readObject DeserializeStringFuzzer.fuzzerTestOneInput...

GHSA-86QR-9VQC-PGC6 Code execution in Spring Integration

Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...

Code execution in Spring Integration

Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...

CVE-2020-5413

Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...

CVE-2020-5413

Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...

Deserialization of untrusted data

Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...

CVE-2020-5413

CVE-2020-5413 affects Spring Integration Kryo-based (de)serialization. When Kryo is configured with default options, unregistered classes can be resolved on demand, enabling deserialization gadgets to execute malicious code during data intake. The provided connected documents confirm the issue an...

CVE-2020-5413 Kryo Configuration Allows Code Execution with Unknown "Serialization Gadgets"

Spring Integration framework provides Kryo Codec implementations as an alternative for Java deserialization. When Kryo is configured with default options, all unregistered classes are resolved on demand. This leads to the "deserialization gadgets" exploit when provided data contains malicious cod...

Remote Code Execution (RCE)

Spring Integration Core is vulnerable to remote code execution RCE. It accepts all unregistered classes on demand when Kryo is configured using default options, allowing a malicious class to be deserialized...

Esoteric Software kryo Security Bypass Vulnerability

Esoteric Software kryo is Esoteric Software's set of object serialization framework for Java . A security bypass vulnerability exists in Esoteric Software kryo, which can be exploited by an attacker to bypass security restrictions and perform unauthorized operations...