Linux/x86 - (reboot) polymorphic Shellcode (26 bytes)

Exploit Title: Linux\x86 - 'reboot' polymorphic Shellcode 26 bytes Purpose: This is a x86 Linux null-free polymorphic shellcode for forcing a reboot. Author: Upayan a.k.a. slaeryan Contact: email protected SLAE: 1525 Vendor Homepage: None Software Link: None Tested on: Linux x86 CVE: N/A / ;...

Remote Code Execution (RCE)

jackson-databind is vulnerable to remote code execution RCE through deserialization of untrusted data. It is possible because the untrusted class, com.caucho.config.types.ResourceRef , was not filtered by default from the interaction between serialization gadgets and polymorphinc typing...

Remote Code Execution

jackson-databind is vulnerable to deserialization of untrusted data that can lead to remote code execution. The gadget org.apache.aries.transaction.jms is not validated and filtered by default from the interaction between serialization gadgets and polymorphic typing, allowing for injection of sai...

jackson-databind: Serialization gadgets in classes of the xalan package

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...

jackson-databind: Serialization gadgets in classes of the ehcache package

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLA...

jackson-databind: Serialization gadgets in classes of the commons-configuration package

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code...

jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the HikariConfig gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...

jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.*

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the commons-dbcp gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...

jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the HikariDataSource gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...

jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the log4j-extra gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...

jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the p6spy gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLASS...

jackson-databind: Serialization gadgets in classes of the ehcache package

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the ehcache gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLA...

jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.*

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the log4j-extra gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...

jackson-databind: Serialization gadgets in classes of the xalan package

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...

jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.*

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the commons-dbcp gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or...

jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the p6spy gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when @JsonTypeInfo is using Id.CLASS or Id.MINIMALCLASS...

Moderate: Red Hat Security Advisory: Red Hat Process Automation Manager 7.7.0 Security Update

An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CV...

Remote Code Execution (RCE)

jackson-databind is vulnerable to deserialization of untrusted data that can lead to remote code execution. It is possible because untrusted classes org.apache.shiro.realm.jndi.JndiRealmFactory and org.apache.shiro.jndi.JndiObjectFactory were not filtered by default from the interaction between...

Behavioral blocking and containment: Transforming optics into protection

In today’s threat landscape—overrun by fileless malware that live off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, human-operated attacks that adapt to what adversaries find on compromised machines, and other sophisticated threats—behavioral...

jackson-databind: Serialization gadgets in classes of the commons-configuration package

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code...