Total
1526 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-10289 | 1 Openrobotics | 1 Robot Operating System | 2024-09-16 | 8.8 High |
| Use of unsafe yaml load. Allows instantiation of arbitrary objects. The flaw itself is caused by an unsafe parsing of YAML values which happens whenever an action message is processed to be sent, and allows for the creation of Python objects. Through this flaw in the ROS core package of actionlib, an attacker with local or remote access can make the ROS Master, execute arbitrary code in Python form. Consider yaml.safe_load() instead. Located first in actionlib/tools/library.py:132. See links for more info on the bug. | ||||
| CVE-2017-0806 | 1 Google | 1 Android | 2024-09-16 | N/A |
| An elevation of privilege vulnerability in the Android framework (gatekeeperresponse). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-62998805. | ||||
| CVE-2022-36964 | 1 Solarwinds | 1 Orion Platform | 2024-09-16 | 8.8 High |
| SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands. | ||||
| CVE-2017-14035 | 1 Crushftp | 1 Crushftp | 2024-09-16 | N/A |
| CrushFTP 8.x before 8.2.0 has a serialization vulnerability. | ||||
| CVE-2017-5641 | 2 Apache, Hp | 2 Flex Blazeds, Xp Command View Advanced Edition | 2024-09-16 | 9.8 Critical |
| Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not restrict which types were allowed for AMF(X) object deserialization by default. During the deserialization process code is executed that for several known types has undesired side-effects. Other, unknown types may also exhibit such behaviors. One vector in the Java standard library exists that allows an attacker to trigger possibly further exploitable Java deserialization of untrusted data. Other known vectors in third party libraries can be used to trigger remote code execution. | ||||
| CVE-2017-13286 | 1 Google | 1 Android | 2024-09-16 | N/A |
| In writeToParcel and readFromParcel of OutputConfiguration.java, there is a permission bypass due to mismatched serialization. This could lead to a local escalation of privilege where the user can start an activity with system privileges, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 8.0, 8.1. Android ID: A-69683251. | ||||
| CVE-2020-4448 | 1 Ibm | 2 Websphere Application Server, Websphere Virtual Enterprise | 2024-09-16 | 9.8 Critical |
| IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 181228. | ||||
| CVE-2021-35217 | 1 Solarwinds | 1 Patch Manager | 2024-09-16 | 8.9 High |
| Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted data. | ||||
| CVE-2021-22855 | 1 Hr Portal Project | 1 Hr Portal | 2024-09-16 | 9.8 Critical |
| The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands. | ||||
| CVE-2016-6814 | 2 Apache, Redhat | 7 Groovy, Enterprise Linux, Enterprise Linux Server and 4 more | 2024-09-16 | N/A |
| When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability. | ||||
| CVE-2022-25767 | 1 Ureport2 Project | 1 Ureport2 | 2024-09-16 | 9.8 Critical |
| All versions of package com.bstek.ureport:ureport2-console are vulnerable to Remote Code Execution by connecting to a malicious database server, causing arbitrary file read and deserialization of local gadgets. | ||||
| CVE-2017-8963 | 1 Hp | 1 Intelligent Management Center | 2024-09-16 | N/A |
| A Deserialization of Untrusted Data vulnerability in Hewlett Packard Enterprise Intelligent Management Center (iMC) PLAT version 7.3 E0504P2 was found. | ||||
| CVE-2018-18628 | 1 Pippo | 1 Pippo | 2024-09-16 | N/A |
| An issue was discovered in Pippo 1.11.0. The function SerializationSessionDataTranscoder.decode() calls ObjectInputStream.readObject() to deserialize a SessionData object without checking the object types. An attacker can create a malicious object, base64 encode it, and place it in the PIPPO_SESSION field of a cookie. Sending this cookie may lead to remote code execution. | ||||
| CVE-2020-5327 | 1 Dell | 1 Security Management Server | 2024-09-16 | 8.1 High |
| Dell Security Management Server versions prior to 10.2.10 contain a Java RMI Deserialization of Untrusted Data vulnerability. When the server is exposed to the internet and Windows Firewall is disabled, a remote unauthenticated attacker may exploit this vulnerability by sending a crafted RMI request to execute arbitrary code on the target host. | ||||
| CVE-2017-2295 | 3 Debian, Puppet, Redhat | 4 Debian Linux, Puppet, Satellite and 1 more | 2024-09-16 | N/A |
| Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML. | ||||
| CVE-2020-4272 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2024-09-16 | 8.8 High |
| IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted request specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable server. IBM X-ForceID: 175898. | ||||
| CVE-2017-12556 | 1 Hp | 1 Intelligent Management Center | 2024-09-16 | N/A |
| A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found. | ||||
| CVE-2020-4271 | 2 Ibm, Linux | 2 Qradar Security Information And Event Manager, Linux Kernel | 2024-09-16 | 6.3 Medium |
| IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow an authenticated user to send a specially crafted command which would be executed as a lower privileged user. IBM X-ForceID: 175897. | ||||
| CVE-2022-0138 | 1 Airspan | 9 A5x, A5x Firmware, C5c and 6 more | 2024-09-16 | 7.5 High |
| MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 has a deserialization function that does not validate or check the data, allowing arbitrary classes to be created. | ||||
| CVE-2016-8511 | 1 Hp | 1 Network Automation | 2024-09-16 | N/A |
| A Remote Code Execution vulnerability in HPE Network Automation using RPCServlet and Java Deserialization version v9.1x, v9.2x, v10.00, v10.00.01, v10.00.02, v10.10, v10.11, v10.11.01, v10.20 was found. | ||||