activemq-openwire: OpenWire Module: Unbounded deserialization causes ActiveMQ to be vulnerable to a remote code execution (RCE) attack

A flaw was found in Apache ActiveMQ, specifically the OpenWire Module. This flaw may allow a remote malicious user to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol, causing the broker to instantiate any class on the classpath. This issue happens when...

Arbitrary Code Execution

jackson-databind is vulnerable to arbitrary code execution. The vulnerability exists as an untrusted class, br.com.anteros.dbcp.AnterosDBCPDataSource, was not filtered by default from the interaction between serialization gadgets and polymorphic typing...

Remote Code Execution (RCE)

jackson-databind is vulnerable to deserialization of untrusted data that can lead to remote code execution. It is possible because the untrusted class com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool was not filtered by default from the interaction between serialization gadgets and...

Important: java-1.7.0-openjdk

Issue Overview: DerValue unbounded memory allocation: It was discovered that the Libraries component of OpenJDK failed to sufficiently limit the amount of memory allocated when reading DER encoded input. A remote attacker could possibly use this flaw to make a Java application use an excessive...

CVE-2000-1099

Java Runtime Environment in Java Development Kit JDK 1.2.205 and earlier can allow an untrusted Java class to call into a disallowed class, which could allow an attacker to escape the Java sandbox and conduct unauthorized activities...