5 matches found
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the readExternal methods in the AE, SS, and ServerConfigurationPayload classes, all of which call builderWithExpectedSize without checking the size of the input. A cluster user wit...
ignite: Improper deserialization allows for code execution via GridClientJdkMarshaller endpoint
In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be...
ignite: Possible Execution of Arbitrary Code Within Deserialization Endpoints
In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one...
qpid-proton: reactor sends messages in clear if ssl is requested but not available
The 1 proton.reactor.Connector, 2 proton.reactor.Container, and 3 proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain...
Code injection
IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference : 1983457...