16 matches found
CVE-2026-36501
An issue in the Externalizable.readExternal component of Controller v12.0.5 allows attackers to cause a Denial of Service DoS via a crafted input...
Deserialization Of Untrusted Data
org.apache.fory:fory-core is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to improper handling of the Java replace-resolve deserialization path, which allows an attacker to bypass security checks and invoke arbitrary readResolve or readExternal methods through crafted...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the readExternal methods in the AE, SS, and ServerConfigurationPayload classes, all of which call builderWithExpectedSize without checking the size of the input. A cluster user wit...
CVE-2026-36501
An issue in the Externalizable.readExternal component of Controller v12.0.5 allows attackers to cause a Denial of Service DoS via a crafted input...
EUVD-2026-34867
An issue in the Externalizable.readExternal component of Controller v12.0.5 allows attackers to cause a Denial of Service DoS via a crafted input...
CVE-2026-36501
An issue in the Externalizable.readExternal component of Controller v12.0.5 allows attackers to cause a Denial of Service DoS via a crafted input...
CVE-2026-36501
An issue in the Externalizable.readExternal component of Controller v12.0.5 allows attackers to cause a Denial of Service DoS via a crafted input...
EUVD-2026-34300
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...
CVE-2026-50076 Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...
Denial Of Service (DoS)
systemds is vulnerable to denial of service. The vulnerability exists because the readExternal function of DecoderComposite.java does not properly check the number of deserialized decoders in the DecoderComposite object, allowing an attacker to crash the application by providing a large size of...
SystemDS CPU exhaustion vulnerability
The Security Team noticed that the termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. As a fix, we added an upper bound and termination condition in the read and write logic. We classify it as a...
GHSA-M43H-HFRQ-X8WX SystemDS CPU exhaustion vulnerability
The Security Team noticed that the termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. As a fix, we added an upper bound and termination condition in the read and write logic. We classify it as a...
CVE-2022-26477
The Security Team noticed that the termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. As a fix, we added an upper bound and termination condition in the read and write logic. We classify it as a...
CVE-2022-26477
The Security Team noticed that the termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. As a fix, we added an upper bound and termination condition in the read and write logic. We classify it as a...
CVE-2022-26477
The Security Team noticed that the termination condition of the for loop in the readExternal method is a controllable variable, which, if tampered with, may lead to CPU exhaustion. As a fix, we added an upper bound and termination condition in the read and write logic. We classify it as a...
Apache SystemDS 资源管理错误漏洞
A denial of service vulnerability exists in Apache SystemDS version 2.2.1 and earlier, which stems from the fact that the termination condition of the for loop in the readExternal method is a controlled variable. An attacker could use this vulnerability to tamper with the traversal to cause CPU...