Exploit for Deserialization of Untrusted Data in Nextgen Mirth_Connect

CVE-2023-43208 — Mirth Connect Pre-Auth RCE Pre-authenticated...

Exploit for Deserialization of Untrusted Data in Apache Struts

CVE-2017-9805: Apache Struts 2 S2-052 RCE Analizi Bu depo, Ap...

SUSE CVE-2017-9805

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads...

VMware Cloud Foundation XStream Deserialization

Added: 10/31/2022 Background VMware Cloud Foundation is a hybrid cloud platform. Problem An XStream deserialization vulnerability in the NSM Manager component of VMware Cloud Foundation NSX-V allows a remote attacker to execute arbitrary commands. Resolution Apply the patch referenced in...

VMware Cloud Foundation XStream Deserialization

Added: 10/31/2022 Background VMware Cloud Foundation is a hybrid cloud platform. Problem An XStream deserialization vulnerability in the NSM Manager component of VMware Cloud Foundation NSX-V allows a remote attacker to execute arbitrary commands. Resolution Apply the patch referenced in...

The vulnerability of the XStream library for converting objects to XML or JSON format in the VMware Cloud Foundation virtualization platform allows a perpetrator to execute arbitrary code with root privileges.

The vulnerability of the XStream library for converting objects to XML or JSON format in the VMware Cloud Foundation platform is related to deserialization errors and the ability to execute arbitrary code. Exploiting this vulnerability allows a malicious actor to execute arbitrary code with root...

SRC-2022-0021 : VMWare Cloud Foundation NSX-V XStream Deserialization of Untrusted Data Remote Code Execution Vulnerability

Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of VMWare Cloud Foundation NSX-V. Authentication is not required to exploit this vulnerability. The specific flaw exists due to a vulnerable unmarshaller used to handle incoming...

xstream: Server-side request forgery (SSRF) via unsafe deserialization of com.sun.xml.internal.ws.client.sei.*

A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to request data from internal resources that are not publicly available by manipulating the processed input stream with Java runtime versions 14 to 8. The highest thre...

VulnCheck KEV: CVE-2017-9805

Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads...

xstream: Arbitrary code execution via unsafe deserialization of com.sun.jndi.ldap.LdapBindingEnumeration

A flaw was found in xstream, a simple library used to serialize objects to XML and back again. This flaw allows a remote attacker to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality,...

GHSA-XW4P-CRPJ-VJX2 A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an arbitrary URL referencing a resource in an intranet or the local host

Impact The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security...

Exploit for Deserialization of Untrusted Data in Xstream

Xstream-1.4.17 The above Xstream demo environment was set up...

Exploit for OS Command Injection in Xstream

CVE-2020-26217 is a remote code execution RCE vulnerability in the XStream library, which is a popular XML serialization library for Java. The vulnerability is present in versions of XStream prior to 1.4.13. The vulnerability is caused by a deserialization issue in the XStream library, which allo...

SpringBootVulExploit

This repository contains a collection of Spring Boot vulnerability exploits and research materials. The repository includes various projects, each targeting a specific vulnerability in Spring Boot applications. The vulnerabilities include: 1. JNDI Object deserialization RCE Remote Code Execution ...

xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)

It was found that xstream API version 1.4.10 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. This a regression of...

CVE-2018-17200

The Apache OFBiz HTTP engine org.apache.ofbiz.service.engine.HttpEngine.java handles requests for HTTP services via the /webtools/control/httpService endpoint. This service takes the serviceContent parameter in the request and deserializes it using XStream. This XStream instance is slightly guard...

UBUNTU-CVE-2019-10173

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON...

GHSA-GG9M-FJ3V-R58C REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads...

Apache Struts REST plugin XStream deserialization vulnerability

Added: 09/08/2017 CVE: CVE-2017-9805 BID: 100609 Background Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller MVC architecture. Problem The REST plugi...

Remote Code Execution (RCE)

struts2-rest-plugin is vulnerable to remote code execution RCE attacks. The vulnerability exists as XStream objects are being deserialized without any type filtering...