Deserialization of Untrusted Data in Pippo

An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode calls ObjectInputStream.readObject to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPOSESSION...

Apache Kafka readObject vulnerability analysis report-vulnerability warning-the black bar safety net

I. background description Apache Kafka is an open source Apache stream processing platform, from the Apache to write, the use of scala and java. The project aims to provide a unified, high-throughput, low-latency real-time data processing platform. II. Vulnerability overview Kafka the internal...

Adobe Flash - URLStream.readObject Use-After-Free

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=611 There is a use-after-free in URLStream.readObject. If the object read is a registered class, the constructor will get invoked to create the object. If the constructor calls URLStream.close, the URLStream will get freed, and the...

Oracle Java SE JRE Multiple Unspecified Vulnerabilities-01 (Oct 2014) - Windows

Oracle Java SE JRE is prone to multiple unspecified vulnerabilities. SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...