The vulnerability of the jackson-databind library, related to an error in restricting XML links to external objects, allows attackers to execute XXE attacks.

The vulnerability of the jackson-databind library is related to an error in restricting XML links to external objects. Exploiting this vulnerability may allow a remote attacker to execute an XXE attack using polymorphic deserialization...

jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using blaze classes. An attacker could use this flaw to execute arbitrary code...

jackson-databind: improper polymorphic deserialization in axis2-transport-jms class

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code...

jackson-databind: improper polymorphic deserialization in openjpa class

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code...

jackson-databind: improper polymorphic deserialization in jboss-common-core class

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code...

jackson-databind: improper polymorphic deserialization in jboss-common-core class

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the jboss-common-core class. An attacker could use this flaw to execute arbitrary code...

jackson-databind: improper polymorphic deserialization in axis2-transport-jms class

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the axis2-transport-jms class. An attacker could use this flaw to execute arbitrary code...

jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery SSRF attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization...

jackson-databind: exfiltration/XXE in some JDK classes

A flaw was discovered in FasterXML jackson-databind, where it would permit polymorphic deserialization of malicious objects using the slf4j, flex messaging, sun DRSHelper and JAX-WS gadgets when used in conjunction with polymorphic type handling methods such as enableDefaultTyping or when...

jackson-databind: improper polymorphic deserialization in openjpa class

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using the OpenJPA class. An attacker could use this flaw to execute arbitrary code...

Important: Red Hat Security Advisory: rh-maven35-jackson-databind security update

An update for rh-maven35-jackson-databind is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for eac...

jackson-databind: arbitrary code execution in slf4j-ext class

A flaw was discovered in jackson-databind, where it would permit polymorphic deserialization of a malicious object using slf4j classes. An attacker could use this flaw to execute arbitrary code...

The vulnerability of the Jackson-databind library arises from the lack of class protection for slf4j-ext, which allows attackers to execute arbitrary code.

The vulnerability of the Jackson-databind library arises from the lack of protection for the slf4j-ext class against polymorphic deserialization. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

[SECURITY] Fedora 29 Update: clamav-0.101.2-1.fc29

Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers attachment scanning. The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs ar...

Linux/x86 - Polymorphic execve(/bin/sh) Shellcode (63 bytes)

/ ; Date: 09/03/2019 ; PolymorphicExecveShStack.asm ; Author: Daniele Votta ; Description: This program invoke a Polimorphic version of excve. Original ExecveShStack: file format elf32-i386 Disassembly of section .text: 08048080 : 8048080: 31 c0 xor eax,eax 8048082: 50 push eax 8048083: 68 2f 2f ...

Threat Roundup for March 22 to March 29

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 22 and March 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral...

Phantom Evasion - Python AV Evasion Tool Capable To Generate FUD Executable Even With The Most Common 32 Bit Metasploit Payload (Exe/Elf/Dmg/Apk)

Phantom-Evasion is an interactive antivirus evasion tool written in python capable to generate almost FUD executable even with the most common 32 bit msfvenom payload lower detection ratio with 64 bit payloads. The aim of this tool is to make antivirus evasion an easy task for pentesters through...

Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage SDK Java (Feb 2019, updated)

Summary Multiple vulnerabilities affect IBM Cloud Object Storage SDK Java. These vulnerabilities have been addressed in the latest SDK Java releases. Vulnerability Details CVE-ID: CVE-2018-19362 Description: An unspecified error with failure to block the jboss-common-core class from polymorphic...

Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2019 CPU)

According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.x prior to 16.2.15.6 or 17.x prior to 17.12.9.2 or 18.x prior to 18.8.4.1. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file upload vulnerabili...

Arbitrary Code Execution in jackson-databind

FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, and 2.7.9.5 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization...